diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 340a768d75..f897a39dbc 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -398,8 +398,7 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", + "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/win-cpub-itpro-docs", "skip_source_output_uploading": false, "need_preview_pull_request": true, "dependent_repositories": [ @@ -424,7 +423,12 @@ "master": [ "Publish", "Pdf" + ], + "msesdemo": [ + "Publish", + "Pdf" ] + }, "need_generate_pdf_url_template": true, "Targets": { diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 024db75e72..d8e96bc586 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md", +"redirect_url": "/education/windows/switch-to-pro-education", +"redirect_document_id": true +}, +{ "source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md", "redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune", "redirect_document_id": false @@ -62,27 +67,27 @@ }, { "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", -"redirect_url": "/itpro/surface-hub/finishing-your-surface-hub-meeting", +"redirect_url": "/surface-hub/finishing-your-surface-hub-meeting", "redirect_document_id": true }, { "source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", -"redirect_url": "/itpro/surface-hub/provisioning-packages-for-surface-hub", +"redirect_url": "/surface-hub/provisioning-packages-for-surface-hub", "redirect_document_id": true }, { "source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md", -"redirect_url": "/itpro/surface-hub/admin-group-management-for-surface-hub", +"redirect_url": "/surface-hub/admin-group-management-for-surface-hub", "redirect_document_id": true }, { "source_path": "devices/surface-hub/surface-hub-administrators-guide.md", -"redirect_url": "/itpro/surface-hub/index", +"redirect_url": "/surface-hub/index", "redirect_document_id": true }, { "source_path": "devices/surface-hub/intro-to-surface-hub.md", -"redirect_url": "/itpro/surface-hub/index", +"redirect_url": "/surface-hub/index", "redirect_document_id": false }, { diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md index f55624a429..5991583d77 100644 --- a/browsers/internet-explorer/TOC.md +++ b/browsers/internet-explorer/TOC.md @@ -20,7 +20,7 @@ ###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md) ##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md) ##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md) -###[What is Enterprise Mode?](ie11-deploy-guide/what-is-enterprise-mode.md) +###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md) ###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md) ###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md) ###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md) @@ -40,6 +40,18 @@ ####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md) ####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) ####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) +###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md) +####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md) +#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md) +#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md) +####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md) +#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md) +#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md) +#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md) +#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md) +#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md) +#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md) +#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md) ###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md) ###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) ###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md new file mode 100644 index 0000000000..0f99fc6a7b --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md @@ -0,0 +1,64 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to add employees to the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Add employees to the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. + +The available roles are: + +- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. + +- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. + +**To add an employee to the Enterprise Mode Site List Portal** +1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. + + The **Employee management** page appears. + +2. Click **Add a new employee**. + + The **Add a new employee** page appears. + +3. Fill out the fields for each employee, including: + + - **Email.** Add the employee's email address. + + - **Name.** This box autofills based on the email address. + + - **Role.** Pick a single role for the employee, based on the list above. + + - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. + + - **Comments.** Add optional comments about the employee. + + - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + +**To export all employees to an Excel spreadsheet** +1. On the **Employee management** page, click **Export to Excel**. + +2. Save the EnterpriseModeUsersList.xlsx file. + + The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..0b6cee7d40 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md @@ -0,0 +1,58 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Approve a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. + +## Approve or reject a change request +The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. + +**To approve or reject a change request** +1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. + + The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. + +2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. + +3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. + + An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. + + +## Send a reminder to the Approver(s) group +If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. + +- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. + + An email is sent to the selected Approver(s). + + +## View rejected change requests +The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. + +**To view the rejected change request** + +- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. + + All rejected change requests appear, with role assignment determining which ones are visible. + + +## Next steps +After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md index 4ec6a7cc70..aab097bf2f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md @@ -12,6 +12,11 @@ author: eross-msft # Change history for Internet Explorer 11 This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. +## April 2017 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. | + ## March 2017 |New or changed topic | Description | |----------------------|-------------| diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md new file mode 100644 index 0000000000..0c2fcabf27 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md @@ -0,0 +1,93 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. +author: eross-msft +ms.prod: ie11 +title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Use the Settings page to finish setting up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. + +## Use the Environment settings area +This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. + +**To add location info** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. + +3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. + +## Use the Group and role settings area +After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. + +**To add a new group and determine the required change request Approvers** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Group and role settings** area of the page, click **Group details**. + + The **Add or edit group names** box appears. + +3. Click the **Add group** tab, and then add the following info: + + - **New group name.** Type name of your new group. + + - **Group head email.** Type the email address for the primary contact for the group. + + - **Group head name.** This box automatically fills, based on the email address. + + - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + + +**To set a group's required Approvers** +1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. + +2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. + + - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. + +## Use the Freeze production changes area +This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. + +**To add the start and end dates** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. + +3. Click **Save**. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..dee66ac9d8 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -0,0 +1,69 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to create a change request within the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Create a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. + +>[!Important] +>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +**To create a new change request** +1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. + + The **Create new request** page appears. + +2. Fill out the required fields, based on the group and the app, including: + + - **Group name.** Select the name of your group from the dropdown box. + + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. + + - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. + + - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. + + - **Requested by.** Automatically filled in with your name. + + - **Description.** Add descriptive info about the app. + + - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. + + - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. + + - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. + + - **App location (URL).** The full URL location to the app, starting with http:// or https://. + + - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. + + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx). + +4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. + + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. + +5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. + + - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. + + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. + +## Next steps +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md index 1624192493..1d96ecb7cf 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md @@ -2,7 +2,7 @@ localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat -description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. +description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. author: eross-msft ms.prod: ie11 ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e @@ -26,7 +26,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an ## In this section |Topic |Description | |---------------------------------------------------------------|-----------------------------------------------------------------------------------| -|[What is Enterprise Mode?](what-is-enterprise-mode.md) |Includes descriptions of the features of Enterprise Mode. | +|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | |[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | |[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | |[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | @@ -34,6 +34,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an |[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | |[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| |[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | |[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | |[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | |[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index f26bdcd631..4a37a95e9a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s |[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. | |[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. | |[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Use IE to collect data on computers running Windows Internet Explorer 8 through IE11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. | -|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. | +|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode, the Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal in your company. | |[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. | |[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. | |[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. | diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md new file mode 100644 index 0000000000..6d4ae0d626 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md @@ -0,0 +1,49 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Schedule approved change requests for production using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. + +**To schedule an immediate change** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Now**, and then clicks **Save**. + + The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. + + +**To schedule the change for a different day or time** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. + + The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. + + +## Next steps +After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md new file mode 100644 index 0000000000..e23bce2182 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -0,0 +1,231 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to set up the Enterprise Mode Site List Portal for your organization. +author: eross-msft +ms.prod: ie11 +title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Set up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. + +## Step 1 - Copy the deployment folder to the web server +You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. + +**To download the source code** +1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. + +2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). + + >[!Note] + >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + +3. Open File Explorer and then open the **EMIEWebPortal/** folder. + +4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. + +5. Type _npm i_ into the command prompt, then press **Enter**. + + Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. + +6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution. + +7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. + +## Step 2 - Create the Application Pool and website, by using IIS +Create a new Application Pool and the website, by using the IIS Manager. + +**To create a new Application Pool** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. + + The **Add Application Pool** box appears. + +2. In the **Add Application Pool** box, enter the following info: + + - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. + + - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. + + - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. + +3. Click **OK**. + +4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. + + The **Advanced Settings** box appears. + +5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. + +6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. + +7. Right-click on the directory, click **Properties**, and then click the **Security** tab. + +8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. + +9. Add **Everyone** to the list with **Read & execute access**. + +**To create the website** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. + + The **Add Website** box appears. + +2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. + + The **Select Application Pool** box appears. + +4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. + +5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. + +6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. + +7. Clear the **Start Website immediately** check box, and then click **OK**. + +8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. + + The **<website_name> Home** pane appears. + +9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. + + >[!Note] + >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + +10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon. + +11. Open the **LOBMergedEntities Connection String** to edit: + + - **Data source.** Type the name of your local computer. + + - **Initial catalog.** The name of your database. + + >[!Note] + >Step 3 of this topic provides the steps to create your database. + +## Step 3 - Create and prep your database +Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. + +**To create and prep your database** +1. Start SQL Server Management Studio. + +2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. + +3. Expand the instance, right-click on **Databases**, and then click **New Database**. + +4. Type a database name. For example, _EMIEDatabase_. + +5. Leave all default values for the database files, and then click **OK**. + +6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. + +7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. + +8. Run the query. + +## Step 4 - Map your Application Pool to a SQL Server role +Map your ApplicationPoolIdentity to your database, adding the db_owner role. + +**To map your ApplicationPoolIdentity to a SQL Server role** +1. Start SQL Server Management Studio and connect to your database. + +2. Expand the database instance and then open the server-level **Security** folder. + + > [!IMPORTANT] + > Make sure you open the **Security** folder at the server level and not for the database. + +3. Right-click **Logins**, and then click **New Login**. + + The **Login-New** dialog box appears. + +4. Type the following into the **Login name** box, based on your server instance type: + + - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. + + - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. + + > [!IMPORTANT] + > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). + +5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. + +6. Click **OK**. + +## Step 5 - Restart the Application Pool and website +Using the IIS Manager, you must restart both your Application Pool and your website. + +**To restart your Application Pool and website** +1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. + +2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. + +## Step 6 - Registering as an administrator +After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. + +**To register as an administrator** +1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. + +2. Click **Register now**. + +3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. + +4. Click **Administrator** from the **Role** box, and then click **Save**. + +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. + + A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. + +6. Select your name from the available list, and then click **Activate**. + +7. Go to the Enterprise Mode Site List Portal Home page and sign in. + +## Step 7 - Configure the SMTP server and port for email notification +After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. + +**To set up your SMTP server and port for emails** +1. Open Visual Studio, and then open the web.config file from your deployment directory. + +2. Update the SMTP server and port info with your info, using this format: + + ``` + + + ``` +3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. + +## Step 8 - Register the scheduler service +Register the EMIEScheduler tool and service for production site list changes. + +**To register the scheduler service** + +1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. + + >[!Important] + >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + +2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. + +3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ + + You'll be asked for your user name and password for the service. + +4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md new file mode 100644 index 0000000000..a478fd9557 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md @@ -0,0 +1,79 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. +ms.prod: ie11 +title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Use the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. + +## Minimum system requirements for portal and test machines +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + +|Item |Description | +|-----|------------| +|Operating system |Windows 7 or later | +|Memory |16 GB RAM | +|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | +|Active Directory (AD) |Devices must be domain-joined | +|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | +|Visual Studio |Visual Studio 2015 or later | +|Node.js® package manager |npm Developer version or higher | +|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | + +## Role assignments and available actions +Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. + +|Role assignment |Available actions | +|----------------|------------------| +|Requester |
  • Create a change request


  • Validate changes in the pre-production environment


  • Rollback pre-production and production changes in case of failure


  • Send approval requests


  • View own requests


  • Sign off and close own requests
| +|Approver

(includes the App Manager and Group Head roles) |
  • All of the Requester actions, plus:


  • Approve requests
| +|Administrator |
  • All of the Requester and Approver actions, plus:


  • Add employees to the portal


  • Assign employee roles


  • Approve registrations to the portal


  • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


  • Use the standalone Enterprise Mode Site List Manager page


  • View reports
| + +## Enterprise Mode Site List Portal workflow by employee role +The following workflow describes how to use the Enterprise Mode Site List Portal. + +1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) + +2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) + +3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) + +4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) + +5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) + +- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md new file mode 100644 index 0000000000..ad7ff7fb3e --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md @@ -0,0 +1,66 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Verify your changes using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +>[!Important] +>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: + +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. + +- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. + +- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. + +## Verify and send the change request to Approvers +The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. + +**To verify changes and send to the Approver(s)** +1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. + + The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. + + +**To rollback your pre-production changes** +1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. + + The change request and issue info are sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. + + After the Requester rolls back the changes, the request can be updated and re-submitted. + + +## View rolled back change requests +The original Requester and the Administrator(s) group can view the rolled back change requests. + +**To view the rolled back change request** + +- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. + + All rolled back change requests appear, with role assignment determining which ones are visible. + +## Next steps +If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md new file mode 100644 index 0000000000..9b17b1c55d --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md @@ -0,0 +1,41 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Verify the change request update in the production environment using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +## Verify and sign off on the update in the production environment +The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. + +**To verify the changes and sign off** +- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. + + The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. + + +**To rollback production changes** +1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. + +2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. + + The info is sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the production environment. + + After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. + diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md new file mode 100644 index 0000000000..90be9b01af --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md @@ -0,0 +1,37 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. + +**To view the active Enterprise Mode Site List** +1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. + + The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. + + +**To export the active Enterprise Mode Site List** +1. On the **Production sites list** page, click **Export**. + +2. Save the ProductionSiteList.xlsx file. + + The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md new file mode 100644 index 0000000000..39742890ba --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md @@ -0,0 +1,49 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. + +**To view the reports** +1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page. + + The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers. + +3. Click **Apply**. + + The reports all change to reflect the appropriate timeframe and group, including: + + - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List. + + - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field. + + - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**. + + - **All requests by status.** Shows how many change requests exist, based on each status. + + - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field. + + - **Request status by group.** Shows how many change requests exist, based on both group and status. + + - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field. + + - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index 44cf261391..f803185980 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -6,12 +6,12 @@ description: Info about the features included in Enterprise Mode with Internet E author: eross-msft ms.prod: ie11 ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa -title: What is Enterprise Mode (Internet Explorer 11 for IT Pros) +title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) ms.sitesec: library --- -# What is Enterprise Mode? +# Enterprise Mode and the Enterprise Mode Site List **Applies to:** @@ -21,28 +21,146 @@ ms.sitesec: library - Windows Server 2012 R2 - Windows Server 2008 R2 with Service Pack 1 (SP1) -Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). -Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to the latest version of IE. In particular, IE11 lets customers benefit from modern web standards, increased performance, improved security, and better reliability. +## Available dual-browser experiences +Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: -## Enterprise Mode features +- Use Microsoft Edge as your primary browser. +- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. + +- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. + +- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. + +For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. + +## What is Enterprise Mode? +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. + +### Enterprise Mode features Enterprise Mode includes the following features: -- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting a number of site patterns that aren’t currently supported by existing document modes. +- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. -- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.

+- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. -- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the **Tools** menu and to decide whether the Enterprise browser profile appears on the **Emulation** tab of the F12 developer tools.

**Important**
All centrally-made decisions override any locally-made choices.  +- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. -- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. + >[!Important] + >All centrally-made decisions override any locally-made choices. -- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. +- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. -  +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. -  +## Enterprise Mode and the Enterprise Mode Site List XML file +The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. +Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. +### Site list xml file +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. +```xml + + + + EnterpriseSiteListManager + 10586 + 20150728.135021 + + + + IE8Enterprise + IE11 + + + default + IE11 + + + IE7Enterprise + IE11 + + + + + IE8Enterprise" + IE11 + + + IE7 + IE11 + + + IE7 + IE11 + + + +``` + +## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. + +### Enterprise Mode Site List Manager +This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + +There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. + + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. + + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. + +### Enterprise Mode Site List Portal +The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. + +In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: + +- Manage site lists from any device supporting Windows 7 or greater. + +- Submit change requests. + +- Operate offline through an on-premise solution. + +- Provide role-based governance. + +- Test configuration settings before releasing to a live environment. + +Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics. + +## Related topics + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md new file mode 100644 index 0000000000..6c23ee0748 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md @@ -0,0 +1,42 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + + +# Workflow-based processes for employees using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow. + +## In this section +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.| +|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.| +|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.| +|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.| +|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.| +|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.| +|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. | + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) \ No newline at end of file diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 056064b880..39d7708dde 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -44,7 +44,7 @@ This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable. Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur. -The following command modifiers are available. Commands terminate with a new line character (/n). Responses can come at any time in response to state changes not triggered directly by a management port command. +The following command modifiers are available. Commands terminate with a new line character (\n). Responses can come at any time in response to state changes not triggered directly by a management port command. | Modifier | Result | | --- | --- | diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index fd891a0750..d82cbe9b63 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -174,20 +174,22 @@ To learn more about the CSV files that are required and the info you need to inc **Assign Classroom license** -The Classroom application is retired, but you will need to assign the Classroom Preview license to yourself and other global admins so that you can access the services. The single license will allow global admins to access both Classroom Preview and School Data Sync. +The Classroom application is retired, but you will need to assign the Classroom Preview license to global admin accounts that will be used to administer SDS. The single license allows global admins to access both Classroom Preview and School Data Sync. 1. In the Office 365 admin center, select **Users > Active users**. 2. Select the checkbox for your global admin account. 3. In the account details window, under **Product licenses**, click **Edit**. 4. In the **Product licenses** page, turn on **Microsoft Classroom** and then click **Save**. -5. Confirm that you can access SDS. To do this, log in to https://sds.microsoft.com. +5. Confirm that you can access SDS. To do this: + - Navigate to https://sds.microsoft.com and click **Sign in**. When prompted, enter your global admin username and password to access the SDS portal. Or, + - From the Office 365 admin portal, go to **Admin centers** and click on **School Data Sync** to go to the SDS portal. > [!NOTE] > Only global admins can access SDS. **Use SDS to import student data** -1. If you haven't done so already, To do this, go to https://sds.microsoft.com. +1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com. 2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**. **Figure 6** - Settings for managing SDS @@ -211,7 +213,7 @@ The Classroom application is retired, but you will need to assign the Classroom ![New SDS profile setup wizard](images/sds_updated_addnewprofile.png) 6. For the new profile, in the **Before you begin...** screen: - 1. Enter a name for your profile, such as *ContosoElementarySchool*. + 1. Enter a name for your profile, such as *Contoso_Profile_1*. 2. Select a sync method for your profile. For this walkthrough, select **CSV Files**. Note that for any sync method that you choose, you can click the **View steps** link to get more information about the steps you need to take depending on the sync method of your choosing. @@ -219,11 +221,8 @@ The Classroom application is retired, but you will need to assign the Classroom 3. Click **Start**. 7. In the **Sync options** screen: - 1. Select the domain for the schools/sections. If you have more than one domain, make sure you select the domain that corresponds to the profile you're creating. - 2. In the **Select school and section properties** section, select the properties you want to sync. If you select additional properties, make sure you have these properties and values added in the CSV files. For the walkthrough, we're not changing the default values. These are: - - **School properties:** SIS ID, Name - - **Section properties:** SIS ID, School SIS ID, Section Name - 3. In the **Select new or existing users** section, select either **New users** or **Existing users** based on the scenaro that applies to you. + 1. In the **Select new or existing users** section, you can select either **New users** or **Existing users** based on the scenaro that applies to you. For this walkthrough, select **New users**. + + 2. In the **Import data** section: + 1. Click **Upload Files** to bring up the **Select data files to be uploaded** window. + 2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import. + 3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**. + 4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**. + 4. After all the files are successfully uploaded, click **OK**. + 3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created. + 4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default. + 5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files. + 6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license. + 7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education. + 8. Click **Next**. **Figure 9** - Sync options for the new profile - ![Specify sync options for the new SDS profile](images/sds_addnewprofile_syncoptions.png) + ![Specify sync options for the new SDS profile](images/sds_profile_syncoptions.png) 8. In the **Teacher options** screen: - 1. Select the domain for the teachers. SDS uses this to match teachers from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data. - 2. In the **Select teacher properties** section, you can add optional teacher properties to sync. For this walkthrough, you don't have to change the default. + 1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created. + 2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default. 3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For this walkthrough, choose **STANDARDWOFFPACK_FACULTY**. 4. Click **Next**. **Figure 10** - Specify options for teacher mapping - ![Specify options for teacher mapping](images/sds_addnewprofile_teacheroptions.png) + ![Specify options for teacher mapping](images/sds_profile_teacheroptions.png) 9. In the **Student options** screen: - 1. Select the domain for the students. SDS uses this to match students from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data. - 2. In the **Select student properties** section, you can add optional student properties to sync. For this walkthrough, you don't have to change the default. + 1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created. + 2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default. 3. In the **Student licenses** section, choose the SKU to assign licenses for students. For this walkthrough, choose **STANDARDWOFFPACK_STUDENT**. 4. Click **Next**. **Figure 11** - Specify options for student mapping - ![Specify options for student mapping](images/sds_addnewprofile_studentoptions.png) + ![Specify options for student mapping](images/sds_profile_studentoptions.png) -10. In the profile **Review** page, review the summary and confirm that the values matches with the data you entered. Click **Create profile**. +10. In the profile **Review** page, review the summary and confirm that the options selected are correct. Click **Create profile**. You will see a notification that your profile is being created. @@ -268,29 +276,22 @@ The Classroom application is retired, but you will need to assign the Classroom **Figure 12** - SDS profile page - ![SDS profile page](images/sds_profilepage.png) + ![SDS profile page](images/sds_profile_profilepage.png) -12. After the profile name at the top, confirm that the status for your profile now says **Ready to sync**. +12. After the profile is created and finished **Setting up**, confirm that the status for your profile now says **Sync enabled**. - If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Ready to sync**. + If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Sync enabled**. - **Figure 13** - New profile is ready to sync + **Figure 13** - New profile is sync enabled - ![Confirm that the new profile is ready](images/sds_profile_readytosync.png) + ![Confirm that the new profile is sync enabled](images/sds_profile_syncenabled.png) -11. On the profile page, below the profile name and profile status, there are four options: **Upload Files**, **Start Sync**, **Edit**, and **Delete**. Click **Upload Files** and then follow these steps: - 1. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import. - 2. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**. - 3. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**. - 4. After all the files are successfully uploaded, click **OK**. -12. On the profile page, click **Start Sync** and then follow these steps: - 1. In the **Would you like to start sync for *Profile_Name?*** window, click **Start Sync**. *Profile_Name* should match the name you entered for your profile in the **Before you begin...** screen. - 2. Confirm that sync successfully started for the file and then click **OK**. + > [!TIP] + > If you get errors during the pre-sync validation process, your profile status will change to **x Error**. To continue, review or resolve any pre-sync validation errors, and then click **Resume Sync** to start the synchronization cycle. - > [!NOTE] - > Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time. - > - > You can refresh the page to confirm that your profile synced successfully. + Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time. + + You can refresh the page to confirm that your profile synced successfully. That's it for importing sample school data using SDS. @@ -401,15 +402,15 @@ Intune for Education provides an **Express configuration** option so you can get **Figure 22** - Expand the settings group to get more details - ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped.png) + ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png) 9. For this walkthrough, set the following settings: - - In the **Internet browser settings** group, change the **Send Do Not Track requests to help protect users' privacy** setting to **Block**. - - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Private Microsoft Store for Business apps** to **Allow**. + - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**. + - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**. **Figure 23** - Set some additional settings - ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettingsconfigured_cropped.png) + ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png) 10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply. @@ -517,6 +518,30 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio **Option 1: Set up a device using the Set up School PCs app** +IT administrators and technical teachers can use the Set up School PCs app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + +![Set up School PCs app](images/suspc_getstarted_050817.png) + +Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically: +- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant +- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM. +- Removes OEM preinstalled software from each student PC +- Auto-configures and saves a wireless network profile on each student PC +- Gives a friendly and unique name to each student device for future management +- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup +- Enables optional guest account for younger students, lost passwords, or visitors +- Enables optional secure testing account +- Locks down the student PC to prevent mischievous activity: + * Prevents students from removing the PC from the school's device management system + * Prevents students from removing the Set up School PCs settings +- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours +- Customizes the Start layout with Office +- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more +- Uninstalls apps not specific to education, such as Solitaire +- Prevents students from adding personal Microsoft accounts to the PC + +**To set up a device using the Set up School PCs app** + 1. Follow the steps in Use the Set up School PCs app to quickly set up one or more student PCs. 2. Follow the steps in [5.2 Verify correct device setup](#52-verify-correct-device-setup). @@ -606,8 +631,8 @@ When a device is owned by the school, you may need to have a single persion addi Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure. 1. Sign in to the Office 365 admin center. -2. Click **Admin centers** and select **Azure AD** to go to the Azure portal. -3. Configure the device settings for the school's Active Directory. From the new Azure portal, https://portal.azure.com, select **Azure Active Directory > Users and groups > Device settings**. +2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, https://portal.azure.com. +3. Select **Azure Active Directory > Users and groups > Device settings**. **Figure 40** - Device settings in the new Azure portal @@ -622,8 +647,8 @@ When students move from using one device to another, they may need to have their Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another. 1. Sign in to the Office 365 admin center. -2. Click **Admin centers** and select **Azure AD** to go to the Azure portal. -3. Configure the device settings for the school's Active Directory. From the new Azure portal, https://portal.azure.com, select **Azure Active Directory > Users and groups > Device settings**. +3. Go to the new Azure portal, https://portal.azure.com. +3. Select **Azure Active Directory > Users and groups > Device settings**. 4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**. **Figure 41** - Enable settings to roam with users diff --git a/education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG b/education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG new file mode 100644 index 0000000000..96e1e0452b Binary files /dev/null and b/education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG differ diff --git a/education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG b/education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG new file mode 100644 index 0000000000..e223b5a94c Binary files /dev/null and b/education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG differ diff --git a/education/get-started/images/sds_profile_profilepage.PNG b/education/get-started/images/sds_profile_profilepage.PNG new file mode 100644 index 0000000000..04e2193189 Binary files /dev/null and b/education/get-started/images/sds_profile_profilepage.PNG differ diff --git a/education/get-started/images/sds_profile_studentoptions.PNG b/education/get-started/images/sds_profile_studentoptions.PNG new file mode 100644 index 0000000000..87558a3881 Binary files /dev/null and b/education/get-started/images/sds_profile_studentoptions.PNG differ diff --git a/education/get-started/images/sds_profile_syncenabled.PNG b/education/get-started/images/sds_profile_syncenabled.PNG new file mode 100644 index 0000000000..197d2f0851 Binary files /dev/null and b/education/get-started/images/sds_profile_syncenabled.PNG differ diff --git a/education/get-started/images/sds_profile_syncoptions.PNG b/education/get-started/images/sds_profile_syncoptions.PNG new file mode 100644 index 0000000000..f7cd01262f Binary files /dev/null and b/education/get-started/images/sds_profile_syncoptions.PNG differ diff --git a/education/get-started/images/sds_profile_teacheroptions.PNG b/education/get-started/images/sds_profile_teacheroptions.PNG new file mode 100644 index 0000000000..0a01ed2f96 Binary files /dev/null and b/education/get-started/images/sds_profile_teacheroptions.PNG differ diff --git a/education/get-started/images/suspc_getstarted_050817.PNG b/education/get-started/images/suspc_getstarted_050817.PNG new file mode 100644 index 0000000000..124905676a Binary files /dev/null and b/education/get-started/images/suspc_getstarted_050817.PNG differ diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 51cbe0a694..a121e92d2e 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -17,6 +17,6 @@ ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) -## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) +## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) ## [Chromebook migration guide](chromebook-migration-guide.md) ## [Change history for Windows 10 for Education](change-history-edu.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index f4a79c2366..00af76258b 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -12,6 +12,12 @@ author: CelesteDG This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +## May 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | + ## RELEASE: Windows 10, version 1703 (Creators Update) | New or changed topic | Description| @@ -35,7 +41,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index. | New or changed topic | Description | | --- | --- | -| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. | +| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). | ## November 2016 diff --git a/education/windows/images/1_howtosetup.png b/education/windows/images/1_howtosetup.png new file mode 100644 index 0000000000..7eb8222ed3 Binary files /dev/null and b/education/windows/images/1_howtosetup.png differ diff --git a/education/windows/images/2_signinwithms.png b/education/windows/images/2_signinwithms.png new file mode 100644 index 0000000000..e4b5f27f12 Binary files /dev/null and b/education/windows/images/2_signinwithms.png differ diff --git a/education/windows/images/i4e_editionupgrade.png b/education/windows/images/i4e_editionupgrade.png new file mode 100644 index 0000000000..ed5b281086 Binary files /dev/null and b/education/windows/images/i4e_editionupgrade.png differ diff --git a/education/windows/images/msfe_clickemaillink_switchtoproedu.png b/education/windows/images/msfe_clickemaillink_switchtoproedu.png new file mode 100644 index 0000000000..ca70e35a6a Binary files /dev/null and b/education/windows/images/msfe_clickemaillink_switchtoproedu.png differ diff --git a/education/windows/images/msfe_manage.png b/education/windows/images/msfe_manage.png new file mode 100644 index 0000000000..0fd5802786 Binary files /dev/null and b/education/windows/images/msfe_manage.png differ diff --git a/education/windows/images/msfe_manage_benefits_checktoconfirm.png b/education/windows/images/msfe_manage_benefits_checktoconfirm.png new file mode 100644 index 0000000000..90df941e00 Binary files /dev/null and b/education/windows/images/msfe_manage_benefits_checktoconfirm.png differ diff --git a/education/windows/images/msfe_manage_benefits_switchtoproedu.png b/education/windows/images/msfe_manage_benefits_switchtoproedu.png new file mode 100644 index 0000000000..12ba470cc9 Binary files /dev/null and b/education/windows/images/msfe_manage_benefits_switchtoproedu.png differ diff --git a/education/windows/images/msfe_manage_reverttowin10pro.png b/education/windows/images/msfe_manage_reverttowin10pro.png new file mode 100644 index 0000000000..30d0313f9b Binary files /dev/null and b/education/windows/images/msfe_manage_reverttowin10pro.png differ diff --git a/education/windows/images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png b/education/windows/images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png new file mode 100644 index 0000000000..581a1c1e8c Binary files /dev/null and b/education/windows/images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png differ diff --git a/education/windows/images/settings_connectedtoazuread_3.png b/education/windows/images/settings_connectedtoazuread_3.png new file mode 100644 index 0000000000..7311392405 Binary files /dev/null and b/education/windows/images/settings_connectedtoazuread_3.png differ diff --git a/education/windows/images/settings_setupworkorschoolaccount_2.png b/education/windows/images/settings_setupworkorschoolaccount_2.png new file mode 100644 index 0000000000..78237cfa31 Binary files /dev/null and b/education/windows/images/settings_setupworkorschoolaccount_2.png differ diff --git a/education/windows/images/settings_workorschool_1.png b/education/windows/images/settings_workorschool_1.png new file mode 100644 index 0000000000..4c53e6b3e2 Binary files /dev/null and b/education/windows/images/settings_workorschool_1.png differ diff --git a/education/windows/images/suspc_createpackage_configurestudentpcsettings.png b/education/windows/images/suspc_createpackage_configurestudentpcsettings.png new file mode 100644 index 0000000000..99a4f8c5fd Binary files /dev/null and b/education/windows/images/suspc_createpackage_configurestudentpcsettings.png differ diff --git a/education/windows/images/suspc_createpackage_recommendedapps.png b/education/windows/images/suspc_createpackage_recommendedapps.png new file mode 100644 index 0000000000..e1e2fdaa46 Binary files /dev/null and b/education/windows/images/suspc_createpackage_recommendedapps.png differ diff --git a/education/windows/images/suspc_createpackage_signin.png b/education/windows/images/suspc_createpackage_signin.png new file mode 100644 index 0000000000..1d05636ed6 Binary files /dev/null and b/education/windows/images/suspc_createpackage_signin.png differ diff --git a/education/windows/images/suspc_createpackage_skipwifi_modaldialog.png b/education/windows/images/suspc_createpackage_skipwifi_modaldialog.png new file mode 100644 index 0000000000..294c970e85 Binary files /dev/null and b/education/windows/images/suspc_createpackage_skipwifi_modaldialog.png differ diff --git a/education/windows/images/suspc_createpackage_summary.PNG b/education/windows/images/suspc_createpackage_summary.PNG index 3740cc9aef..2699f6e222 100644 Binary files a/education/windows/images/suspc_createpackage_summary.PNG and b/education/windows/images/suspc_createpackage_summary.PNG differ diff --git a/education/windows/images/suspc_createpackage_takeatest.png b/education/windows/images/suspc_createpackage_takeatest.png new file mode 100644 index 0000000000..0be05a727d Binary files /dev/null and b/education/windows/images/suspc_createpackage_takeatest.png differ diff --git a/education/windows/images/suspc_savepackage_insertusb.PNG b/education/windows/images/suspc_savepackage_insertusb.PNG index e5f9968d7e..6c36d04e88 100644 Binary files a/education/windows/images/suspc_savepackage_insertusb.PNG and b/education/windows/images/suspc_savepackage_insertusb.PNG differ diff --git a/education/windows/images/suspc_savepackage_ppkgisready.png b/education/windows/images/suspc_savepackage_ppkgisready.png new file mode 100644 index 0000000000..7f8ca446f5 Binary files /dev/null and b/education/windows/images/suspc_savepackage_ppkgisready.png differ diff --git a/education/windows/images/wcd_productkey.png b/education/windows/images/wcd_productkey.png new file mode 100644 index 0000000000..fbbfda7eb9 Binary files /dev/null and b/education/windows/images/wcd_productkey.png differ diff --git a/education/windows/index.md b/education/windows/index.md index 1228691020..9d3f183b1d 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -37,16 +37,17 @@ author: CelesteDG

[Take tests in Windows 10](take-tests-in-windows-10.md)
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.

[Chromebook migration guide](chromebook-migration-guide.md)
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.

-## ![Deploy Windows 10 for education](images/PCicon.png) Deploy +## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy

[Set up Windows devices for education](set-up-windows-10.md)
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.

[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
Get step-by-step guidance to help you deploy Windows 10 in a school environment.

[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

Try it out: Windows 10 deployment (for education)
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.

For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.

-## ![Upgrade to Windows 10 for education](images/windows.png) Upgrade +## ![Switch to Windows 10 for Education](images/windows.png) Switch + +

[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

-

[Switch Windows 10 Pro to Pro Education from Microsoft Store for Education](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free switch to Windows 10 Pro Education.

## Windows 8.1 diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 7c998c3e0b..39f0826ba4 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -70,7 +70,7 @@ To make this as seamless as possible, in your Azure AD tenant: ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) -- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time. +- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md new file mode 100644 index 0000000000..a42e464435 --- /dev/null +++ b/education/windows/switch-to-pro-education.md @@ -0,0 +1,378 @@ +--- +title: Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S +description: Learn how IT Pros can opt into switching to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S. +keywords: switch, free switch, Windows 10 Pro to Windows 10 Pro Education, Windows 10 S to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro, Windows 10 S +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +localizationpriority: high +author: CelesteDG +--- + +# Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S +Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. + +If you have an education tenant and use devices with Windows 10 Pro or Windows 10 S, global administrators can opt-in to a free switch to Windows 10 Pro Education depending on your scenario. +- [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education) +- [Switch from Windows 10 Pro to Windows 10 Pro Education](#switch-from-windows-10-pro-to-windows-10-pro-education) + +To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching). For academic customers who are eligible to switch to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. + +## Requirements for switching +Before you switch to Windows 10 Pro Education, make sure you meet these requirements: +- Devices must be running Windows 10 Pro, version 1607 or higher; or running Windows 10 S, version 1703 +- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). + + If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). + +- The Azure AD tenant must be recognized as an education approved tenant. +- You must have a Microsoft Store for Education account. +- The user making the changes must be a member of the Azure AD global administrator group. + +## Compare Windows 10 Pro and Pro Education editions +You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10. + +For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). + + +## Switch from Windows 10 S to Windows 10 Pro Education +There are two ways to switch from Windows 10 S to Windows 10 Pro Education, outlined below. Regardless of how you switch to Windows 10 Pro Education, note that you can only switch devices back to Windows 10 S through reimaging. + +1. **Bulk switch through Microsoft Store for Education** + + In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 S devices on the tenant to Windows 10 Pro Education. See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. + +2. **Asynchronous switch** + + In this scenario, the global admin must acquire the necessary keys and then select a method for key distribution. + + **Key acquisition options:** + + - Volume Licensing customers - For schools with active Microsoft Volume Licensing agreements, global admins can obtain free MAK keys for Windows 10 Pro Education. + + > [!NOTE] + > Windows 10 S is a Qualified OS (QOS) for Academic Volume Licensing only. + + - Non-Volume Licensing customers - For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education. + + **Key distribution options:** + + - Bulk key distribution - You can apply MAK keys to switch the operating system on select devices or groups of devices using one of these methods: + - Use Microsoft Intune for Education. See [Switch using Intune for Education](#switch-using-intune-for-education) for details on how to do this. + - Use Windows Configuration Designer to create a provisioning package that will provision the switch on the device(s). See [Switch using Windows Configuration Designer](#switch-using-windows-configuration-designer) for details on how to do this. + - Use the mobile device management (MDM) policy, **UpgradeEditionWithProductKey**. See [Switch using MDM](#switch-using-mdm) for details on how to do this. + - Use scripting. See [Switch using scripting](#switch-using-scripting) for details on how to do this. + + - Manual key entry - You can also manually apply the MAK key using one of these methods: + - Enter the MAK key in the Windows **Settings > Activation** page. See [Switch using the Activation page](#switch-using-the-activation-page) for details on how to do this. + - Install with a media and key through Windows setup. We don't recommend this option due to the potential for multi-reboot requirements. + + +## Switch from Windows 10 Pro to Windows 10 Pro Education + +For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free switch through the Microsoft Store for Education. + +In this scenario: + +- The IT admin of the tenant chooses to turn on the switch for all Azure AD joined devices. +- Any device that joins the Azure AD will switch automatically to Windows 10 Pro Education. +- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). + +See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. + +## Switch options from Windows 10 S to Windows 10 Pro Education +If you want to switch only a few or a select group of Windows 10 S devices to Windows 10 Pro Education, you can use one of the following key distribution options once you've obtained the MAK keys for Windows 10 Pro Education. See [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education) for more info. + +### Switch using Intune for Education + +1. In Intune for Education, select **Groups** and then choose the group that you want to apply the MAK license key to. + + For example, to apply the switch for all teachers, select **All Teachers** and then select **Settings**. + +2. In the settings page, find **Edition upgrade** and then: + 1. Select the edition in the **Edition to upgrade to** field + 2. Enter the MAK license key in the **Product key** field + + **Figure 1** - Enter the details for the Windows edition switch + + ![Enter the details for the Windows edition switch](images/i4e_editionupgrade.png) + +3. The switch will automatically be applied to the group you selected. + + +### Switch using Windows Configuration Designer +You can use Windows Configuration Designer to create a provisioning package that you can use to switch the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package. + +1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions. +2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to switch to Windows 10 Pro Education. + + **Figure 2** - Enter the license key + + ![Enter the license key to switch to Windows 10 Pro Education](images/wcd_productkey.png) + +3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to switch to Windows 10 Pro Education. + + For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain). + +### Switch using MDM + +To switch Windows 10 S to Windows 10 Pro Education, enter the product key for the Windows 10 Pro Education edition in the **UpgradeEditionWithProductKey** policy setting of the [WindowsLicensing CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/windowslicensing-csp). + +### Switch using scripting + +You can switch from Windows 10 S to Windows 10 Pro Education by running the changepk.exe command-line tool. To do this, run the following command: + +``` +changepk.exe /ProductKey MAK_key_or_product_key +``` + +Replace *MAK_key_or_product_key* with the MAK key that you obtained for the Windows 10 edition switch. + + +### Switch using the Activation page + +1. On the Windows device that you want to switch, open the **Settings** app. +2. Select **Update & security** > **Activation**, and then click **Change product key**. +3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**. + + +## Education customers with Azure AD joined devices + +Academic institutions can easily move from Windows 10 S or Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system switches to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. + +When you switch to Windows 10 Pro Education, you get the following benefits: + +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. +- **Roll back options to Windows 10 Pro** + - When a user leaves the domain or you turn off the setting to automatically switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). + - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. + + See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info. + + For devices that originally had Windows 10 S installed, Windows 10 Pro Education cannot step back down to Windows 10 S. You will need to reimage these devices with Windows 10 S if you need to step down from Windows 10 Pro Education to Windows 10 S. + + +### Switch using Microsoft Store for Education +Once you enable the setting to switch to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the switch. The switch will only apply to Windows 10 S and Windows 10 Pro devices. + +**To turn on the automatic switch to Windows 10 Pro Education** + +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account. + + If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use. + +2. Click **Manage** from the top menu and then select the **Benefits tile**. +3. In the **Benefits** tile, look for the **Switch to Windows 10 Pro Education for free** link and then click it. + + You will see the following page informing you that your school is eligible to switch free to Windows 10 Pro Education from Windows 10 S or Windows 10 Pro. + + **Figure 3** - Switch Windows 10 Pro to Windows 10 Pro Education + + ![Eligible for free Windows 10 Pro to Windows 10 Pro Education switch](images/msfe_manage_benefits_switchtoproedu.png) + +4. In the **Switch all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will switch all domain-joined devices running Windows 10 Pro or Windows 10 S in my organization**. + + **Figure 4** - Check the box to confirm + + ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png) + +5. Click **Switch all my devices**. + + A confirmation window pops up to let you know that an email has been sent to you to enable the switch. + +6. Close the confirmation window and check the email to proceed to the next step. +7. In the email, click the link to **Switch to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal. + + **Figure 5** - Click the link in the email to switch to Windows 10 Pro Education + + ![Click the email link to switch to Windows 10 Pro Education](images/msfe_clickemaillink_switchtoproedu.png) + +8. Click **Switch now** in the **Switching your device to Windows 10 Pro Education for free** page in the Microsoft Store. + + You will see a window that confirms you've successfully switched all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro or Windows 10 S will automatically switch the next time someone in your organization signs in to the device. + +9. Click **Close** in the **Success** window. + +Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).\ + +**Figure 6** - Email notifying all global admins about the switch + +![Email notifying all global admins about the switch](images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png) + + +## Explore the switch experience + +So what will users experience? How will they switch their devices? + +### For existing Azure AD joined devices +Existing Azure AD domain joined devices will be switched to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. + +### For new devices that are not Azure AD joined +Now that you've turned on the setting to automatically switch to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 or higher or Windows 10 S, version 1703 to Windows 10 Pro Education edition. + +#### Step 1: Join users’ devices to Azure AD + +Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703. + +**To join a device to Azure AD the first time the device is started** + +There are different methods you can use to join a device to Azure AD: +- For multiple devices, we recommend using the [Set up School PCs app](use-set-up-school-pcs-app.md) to create a provisioning package to quickly provision and set up Windows 10 devices for education. +- For individual devices, you can use the Set up School PCs app or go through the Windows 10 device setup experience. If you choose this option, see the following steps. + +**To join a device to Azure AD using Windows device setup** + +If the Windows device is running Windows 10, version 1703, follow these steps. + +1. During initial device setup, on the **How would you like to set up?** page, select **Set up for an organization**, and then click **Next**. + + **Figure 7** - Select how you'd like to set up the device + + ![Select how you'd like to set up the device](images/1_howtosetup.png) + +2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**. + + **Figure 8** - Enter the account details + + ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png) + +3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription. + + +**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 or Windows 10 S, version 1703 installed and set up** + +If the Windows device is running Windows 10, version 1703, follow these steps. + +1. Go to **Settings > Accounts > Access work or school**. + + **Figure 9** - Go to **Access work or school** in Settings + + ![Go to Access work or school in Settings](images/settings_workorschool_1.png) + +2. In **Access work or school**, click **Connect**. +3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom. + + **Figure 10** - Select the option to join the device to Azure Active Directory + + ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png) + +4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. +5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. + + **Figure 11** - Verify the device connected to Azure AD + + ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png) + + +#### Step 2: Sign in using Azure AD account + +Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. + + +#### Step 3: Verify that Pro Education edition is enabled + +You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**. + +**Figure 12** - Windows 10 Pro Education in Settings + +Windows 10 activated and subscription active + +If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. + +### Troubleshoot the user experience + +In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows: + +- The existing operating system (Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703) is not activated. +- The Windows 10 Pro Education switch has lapsed or has been removed. + +Use the following figures to help you troubleshoot when users experience these common problems: + +**Figure 13** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education switch is active. + +Windows 10 activated and subscription active

+ + +**Figure 14** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education switch is active. + +Windows 10 not activated and subscription active

+ + +### Review requirements on devices + +Devices must be running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703 and be Azure AD joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements. + +**To determine if a device is Azure AD joined** + +1. Open a command prompt and type the following: + + ``` + dsregcmd /status + ``` + +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. + +**To determine the version of Windows 10** + +- At a command prompt, type: + + ``` + winver + ``` + + A popup window will display the Windows 10 version number and detailed OS build information. + + > [!NOTE] + > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license. + +### Roll back Windows 10 Pro Education to Windows 10 Pro + +If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by: + +- Logging into Microsoft Store for Education page and turning off the automatic switch. +- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators. + +Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a switch was enabled and then turned off will never see their device change from Windows 10 Pro. + +> [!NOTE] +> Devices that were switched from Windows 10 S to Windows 10 Pro Education cannot roll back to Windows 10 S. + +**To roll back Windows 10 Pro Education to Windows 10 Pro** + +1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch. +2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. +3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. + + **Figure 15** - Revert to Windows 10 Pro + + ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png) + +4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**. +5. Click **Close** in the **Success** page. + + All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic switches again, you can do this by selecting **Switch to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. + + +## Preparing for deployment of Windows 10 Pro Education licenses + +If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. + +You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. + +Figure 11 illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. + +**Figure 16** - On-premises AD DS integrated with Azure AD + +![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) + +For more information about integrating on-premises AD DS domains with Azure AD, see these resources: +- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) +- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) + +## Related topics + +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) +[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 597919abca..7338cfbdc0 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -34,13 +34,10 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm * Prevents students from removing the PC from the school's device management system * Prevents students from removing the Set up School PCs settings - Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours - -A student PC that's set up using the Set up School PCs provisioning package is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. - * Customizes the Start layout with Office - * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar - * Uninstalls apps not specific to education, such as Solitaire - * [Gets the student PC ready for use in an education environment](configure-windows-for-education.md) - * Prevents students from adding personal Microsoft accounts to the PC +- Customizes the Start layout with Office +- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more +- Uninstalls apps not specific to education, such as Solitaire +- Prevents students from adding personal Microsoft accounts to the PC ## Tips for success @@ -132,13 +129,21 @@ The **Set up School PCs** app guides you through the configuration choices for t **Figure 2** - Verify that the account you selected shows up - ![Verify that the account you selected shows up](images/suspc_choosesettings_signin_final.png) + ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png) 5. Click **Next**. 4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page: 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. - 2. Click **Next**. + 2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network. + + If you click **Skip**, you will see the following dialog. + * If you select **Got it**, you will go to the next page without Wi-Fi set up. + * If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network. + + **Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection + + ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png) 5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page: 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. @@ -168,9 +173,9 @@ The **Set up School PCs** app guides you through the configuration choices for t - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background. - **Figure 3** - Configure student PC settings + **Figure 4** - Configure student PC settings - ![Configure student PC settings](images/suspc_createpackage_settingspage.png) + ![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings.png) When you're doing configuring the student PC settings, click **Next**. @@ -180,50 +185,49 @@ The **Set up School PCs** app guides you through the configuration choices for t If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test. - **Figure 4** - Configure the Take a Test app + **Figure 5** - Configure the Take a Test app - ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage.png) + ![Configure the Take a Test app](images/suspc_createpackage_takeatest.png) 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test. - - -8. In the **Review package summary** page, make sure that all the settings you configured appear correctly. +9. In the **Review package summary** page, make sure that all the settings you configured appear correctly. 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes. - **Figure 5** - Review your settings and change them as needed + **Figure 7** - Review your settings and change them as needed ![Review your settings and change them as needed](images/suspc_createpackage_summary.png) 2. Click **Accept**. -9. In the **Insert a USB drive now** page: +10. In the **Insert a USB drive now** page: 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive. 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list. 3. Click **Save** to save the provisioning package to the USB drive. - **Figure 6** - Select the USB drive and save the provisioning package + **Figure 8** - Select the USB drive and save the provisioning package - ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb_050817.png) + ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png) -10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive. +11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive. - **Figure 7** - Provisioning package is ready + **Figure 9** - Provisioning package is ready - ![Provisioning package is ready](images/suspc_ppkgisready_050817.png) + ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png) 12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. - **Figure 8** - Line up the student PCs and get them ready for setup + **Figure 10** - Line up the student PCs and get them ready for setup ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png) @@ -232,7 +236,7 @@ The **Set up School PCs** app guides you through the configuration choices for t Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package. - **Figure 9** - Install the provisioning package on the student PCs + **Figure 11** - Install the provisioning package on the student PCs ![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png) @@ -250,19 +254,19 @@ The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - **Figure 10** - The first screen during first-run setup in Windows 10 Creators Update (version 1703) + **Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703) ![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png) 2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package. - **Figure 11** - Windows automatically detects the provisioning package and installs it + **Figure 13** - Windows automatically detects the provisioning package and installs it ![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png) 3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC. - **Figure 12** - Remove the USB drive when you see the message that the media can be removed + **Figure 14** - Remove the USB drive when you see the message that the media can be removed ![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png) diff --git a/education/windows/windows-10-pro-to-pro-edu-upgrade.md b/education/windows/windows-10-pro-to-pro-edu-upgrade.md deleted file mode 100644 index 373293b8ac..0000000000 --- a/education/windows/windows-10-pro-to-pro-edu-upgrade.md +++ /dev/null @@ -1,263 +0,0 @@ ---- -title: Switch Windows 10 Pro to Pro Education -description: Describes how IT Pros can opt into switching from Windows 10 Pro to Windows 10 Pro Education from the Microsoft Store for Education. -keywords: switch, Pro to Pro Education, education customers -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -localizationpriority: high -author: CelesteDG ---- - -# Switch Windows 10 Pro to Pro Education from Microsoft Store for Education - -Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. - -If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free switch to Windows 10 Pro Education through the Microsoft Store for Education. To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching). - -Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. - -Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. - -When you switch to Windows 10 Pro Education, you get the following benefits: - -- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. -- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). - -In summary, the Windows 10 Pro Education free switch through the Microsoft Store for Education is an offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition. - -## Compare Windows 10 Pro and Pro Education editions - -In Windows 10, version 1607, the Windows 10 Pro Education edition contains the same features as the Windows 10 Pro edition except for the following differences: - -- Cortana is removed from Windows 10 Pro Education -- Options to manage Windows 10 tips and tricks and Windows Store suggestions - -See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10. - -## Requirements for switching - -Before you switch from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements: -- Devices must be: - - Running Windows 10 Pro, version 1607 - - Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). - - If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). -- The user making the changes must be a member of the Azure AD global administrator group. -- The Azure AD tenant must be recognized as an education approved tenant. -- You must have a Microsoft Store for Education account. - -## Switch from Windows 10 Pro to Windows 10 Pro Education -Once you enable the setting to switch Windows 10 Pro to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the switch. - -**To turn on the automatic switch from Windows 10 Pro to Windows 10 Pro Education** - -1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account. - - If this is the first time you're signing into the Microsoft Store, you'll be prompted to accept the Microsoft Store for Business and Education License Agreement. - -2. Go to **Manage > Account information**. -3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link. - - You will see the following page informing you that your school is eligible for a free automatic switch from Windows 10 Pro to Windows 10 Pro Education. - - ![Eligible for free Windows 10 Pro to Windows 10 Pro Education switch](images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png) - - **Figure 1** - Switch Windows 10 Pro to Windows 10 Pro Education - -4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**. -5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the switch. - - ![Email with Windows 10 Pro to Pro Education switch link](images/wsfb_win10_pro_to_proedu_email_upgrade_link.png) - - **Figure 2** - Email notification with a link to enable the switch - -6. Click **Enable the automatic upgrade now** to turn on automatic switches. - - ![Enable the automatic switch](images/wsfb_win10_pro_to proedu_upgrade_enable.png). - - **Figure 3** - Enable the automatic switch - - Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch, if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). - - ![Email informing other global admins about the switch](images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png). - - **Figure 4** - Notification email sent to all global administrators - -7. Click **Close** in the **Success** page. - - In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the switch was enabled and the name of the admin who enabled the switch. - - ![Summary page about the switch](images/wsfb_win10_pro_to proedu_upgrade_summary.png) - - **Figure 5** - Details about the automatic switch - - -## Explore the switch experience - -So what will the users experience? How will they switch their devices? - -### For existing Azure AD domain joined devices -Existing Azure AD domain joined devices will be switched from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. - -### For new devices that are not Azure AD domain joined -Now that you've turned on the setting to automatically switch Windows 10 Pro to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition. - -#### Step 1: Join users’ devices to Azure AD - -Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607. - -**To join a device to Azure AD the first time the device is started** - -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 6**. - - Who owns this PC? page in Windows 10 setup - - **Figure 6** - The “Who owns this PC?” page in initial Windows 10 setup - -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 7**. - - Choose how you'll connect - page in Windows 10 setup - - **Figure 7** - The “Choose how you’ll connect” page in initial Windows 10 setup - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 8**. - - Let's get you signed in - page in Windows 10 setup - - **Figure 8** - The “Let’s get you signed in” page in initial Windows 10 setup - -Now the device is Azure AD joined to the company’s subscription. - -**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up** - -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 9**. - - Connect to work or school configuration - - **Figure 9** - Connect to work or school configuration in Settings - -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 10**. - - Set up a work or school account - - **Figure 10** - Set up a work or school account - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 11**. - - Let's get you signed in - dialog box - - **Figure 11** - The “Let’s get you signed in” dialog box - -Now the device is Azure AD joined to the company’s subscription. - -#### Step 2: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 12**. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. - -Sign in, Windows 10 - -**Figure 12** - Sign in by using Azure AD account - -#### Step 3: Verify that Pro Education edition is enabled - -You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**, as illustrated in **Figure 13**. - - - -**Figure 13** - Windows 10 Pro Education in Settings - -Windows 10 activated and subscription active - -If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - -## Troubleshoot the user experience - -In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows: - -- The existing Windows 10 Pro, version 1607 operating system is not activated. - -- The Windows 10 Pro Education switch has lapsed or has been removed. - -Use the following figures to help you troubleshoot when users experience these common problems: - - - -**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education switch is active. - -Windows 10 activated and subscription active - - - -**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education switch is active. - -Windows 10 not activated and subscription active

- - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure Active Directory joined** - -1. Open a command prompt and type **dsregcmd /status**. - -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. - -**To determine the version of Windows 10** - -- At a command prompt, type: - **winver** - - A popup window will display the Windows 10 version number and detailed OS build information. - - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license. - -## Roll back Windows 10 Pro Education to Windows 10 Pro - -If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by: -- Logging into Microsoft Store for Education page and turning off the automatic switch. -- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators. - -Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an switch was enabled and then turned off will never see their device change from Windows 10 Pro. - -**To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Log in to [Microsoft Store for Education](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch. -2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link. -3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**. - - ![Turn off automatic switch to Windows 10 Pro Education](images/wsfb_win10_pro_to proedu_upgrade_disable.png) - - **Figure 15** - Link to turn off the automatic switch - -4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**. -5. Click **Close** in the **Success** page. -6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the switch was disabled. - - If you decide later that you want to turn on automatic switches again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**. - -## Preparing for deployment of Windows 10 Pro Education licenses - -If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. - -You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. - -**Figure 16** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. - -![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) - -**Figure 16** - On-premises AD DS integrated with Azure AD - -For more information about integrating on-premises AD DS domains with Azure AD, see these resources: -- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) -- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) - -## Related topics - -[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) - -[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) - -[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index db3fb46f6a..b798212e27 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -39,7 +39,7 @@ Existing devices running Windows 10 Pro, currently activated with the original O Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment. +Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment. ## Windows 10 Education diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md index e2266ea8a6..637220cb67 100644 --- a/store-for-business/update-windows-store-for-business-account-settings.md +++ b/store-for-business/update-windows-store-for-business-account-settings.md @@ -61,13 +61,13 @@ Taxes for Microsoft Store for Business purchases are determined by your business - Switzerland - United Kingdom -These countries can provide their VAT number or local equivalent in **Payments & billing**. However, they can only acquire free apps. +These countries can provide their VAT number or local equivalent in **Payments & billing**. |Market| Tax identifier | |------|----------------| -| Brazil | CPNJ (required), CCMID (optional) | -| India | CST ID, VAT ID | -| Taiwan | Unified business number| +| Brazil | CNPJ (required) | +| India | CST ID, VAT ID (both are optional) | +| Taiwan | VAT ID (optional) | ### Tax-exempt status diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 92902b6347..0edcf1dfa2 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -157,6 +157,193 @@ For more information, see [Manage settings in the Store for Business](manage-set Microsoft Store for Business and Education is currently available in these markets. + +### Support for free and paid apps @@ -294,22 +481,29 @@ Microsoft Store for Business and Education is currently available in these marke
Support for free and paid apps
- - - - - - - -
Support for free apps only
-
    -
  • Brazil
    • -
  • India
    • -
  • Russia
    • -
  • Taiwan
    • -
  • Ukraine
    • -
-
+### Support for free apps +Customers in these markets can use Microsoft Store for Business and Education to acquire free apps: +- India +- Russia + +### Support for free apps and Minecraft: Education Edition +Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition: +- Brazil +- Taiwan +- Ukraine + +This table summarize what customers can purchase, depending on which Microsoft Store they are using. + +| Store | Free apps | Minecraft: Education Edition | +| ----- | --------- | ---------------------------- | +| Microsoft Store for Business | supported | not supported | +| Microsoft Store for Education | supported | supported; invoice payment required | + +> [!NOTE] +> **Microsoft Store for Education customers with support for free apps and Minecraft: Education Edition** +- Admins can acquire free apps from **Microsoft Store for Education**. +- Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices). +- Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**. ## Privacy notice diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md index 0adc21dd7f..1663325a24 100644 --- a/windows/access-protection/credential-guard/credential-guard-considerations.md +++ b/windows/access-protection/credential-guard/credential-guard-considerations.md @@ -28,9 +28,9 @@ in the Deep Dive into Credential Guard video series. - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. -## NTLM and CHAP Considerations +## Wi-fi and VPN Considerations +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. -When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. ## Kerberos Considerations diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 627724bbe5..22574d09a4 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md index 26876a7fac..c5c53ac5e6 100644 --- a/windows/access-protection/enterprise-certificate-pinning.md +++ b/windows/access-protection/enterprise-certificate-pinning.md @@ -6,7 +6,7 @@ author: MikeStephens-MS description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name. manager: alanth ms.prod: w10 -ms.technology: security +ms.technology: windows ms.sitesec: library ms.pagetype: security localizationpriority: high @@ -71,141 +71,41 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ The PinRules element can have the following attributes. For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). -- **Duration** or **NextUpdate** - - Specifies when the Pin Rules will expire. - Either is required. - **NextUpdate** takes precedence if both are specified. - - **Duration**, represented as an XML TimeSpan data type, does not allow years and months. - You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. - - **Required?** Yes. At least one is required. - -- **LogDuration** or **LogEndDate** - - Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. - - **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. - - You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. - - If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. - - **Required?** No. - -- **ListIdentifier** - - Provides a friendly name for the list of pin rules. - Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, does not allow years and months. You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | +| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months.
If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | +| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). | No. | #### PinRule Element -The **PinRule** element can have the following attributes: +The **PinRule** element can have the following attributes. -- **Name** - - Uniquely identifies the **PinRule**. - Windows uses this attribute to identify the element for a parsing error or for verbose output. - The attribute is not included in the generated certificate trust list (CTL). - - **Required?** Yes. - -- **Error** - - Describes the action Windows performs when it encounters a PIN mismatch. - You can choose from the following string values: - - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. - - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site. - - **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. - - **Required?** No. - -- **Log** - - A Boolean value represent as string that equals **true** or **false**. - By default, logging is enabled (**true**). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute is not included in the generated certificate trust list (CTL). | Yes.| +| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. | +| **Log** | A Boolean value represent as string that equals **true** or **false**. By default, logging is enabled (**true**). | No. | #### Certificate element -The **Certificate** element can have the following attributes: +The **Certificate** element can have the following attributes. -- **File** - - Path to a file containing one or more certificates. - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - These files can also be Base64 formatted. - All **Site** elements included in the same **PinRule** element can match any of these certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Directory** - - Path to a directory containing one or more of the above certificate files. - Skips any files not containing any certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Base64** - - Base64 encoded certificate(s). - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - This allows the certificates to be included in the XML file without a file directory dependency. - - > [!Note] - > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **EndDate** - - Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. - - If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates. - - If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL. - - For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). | +| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). | +| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory or Base64 must be present). | +| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| #### Site element -The **Site** element can have the following attributes: +The **Site** element can have the following attributes. -- **Domain** - - Contains the DNS name to be matched for this pin rule. - When creating the certificate trust list, the parser normalizes the input name string value as follows: - - If the DNS name has a leading "*" it is removed. - - Non-ASCII DNS name are converted to ASCII Puny Code. - - Upper case ASCII characters are converted to lower case. - - If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. - For example, ".xyz.com" would match "abc.xyz.com". - - **Required?** Yes. - -- **AllSubdomains** - - By default, wildcard left hand label matching is restricted to a single left hand label. - This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. - - For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value. - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed.
- Non-ASCII DNS name are converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| +| **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| ### Create a Pin Rules Certificate Trust List @@ -289,9 +189,12 @@ Sign-in to the reference computer using domain administrator equivalent credenti 8. Right-click the **Registry** node and click **New**. 9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list. 10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name: + HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config + Click **Select** to close the **Registry Item Browser**. -11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. + +11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png) @@ -302,10 +205,6 @@ Sign-in to the reference computer using domain administrator equivalent credenti To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules. -```code -HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config -``` - | Name | Value | |------|-------| | Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config | diff --git a/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 80474a70be..d8344768fc 100644 --- a/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -85,7 +85,7 @@ First, create the WMI filter and configure it to look for a specified version (o After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs. -1. Open theGroup Policy Management console. +1. Open the Group Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index a0c06828be..cc2687ac6a 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 120dc8ffe8..57e0175c71 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -9,5 +9,5 @@ ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) -## [Mobile Device Management](mdm/index.md) +## [Mobile device management protocol](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 107c56cde2..b42d904675 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md index a7c3befabe..69f6f73aa0 100644 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md @@ -191,7 +191,7 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo ## Use Windows Store for Business -[Windows Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users. +[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users. ![company tab on store](images/aadjwsfb.jpg) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 35f400979f..3e072988e3 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -141,6 +141,7 @@ #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md) #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md) ### [FileSystem CSP](filesystem-csp.md) +### [Firewall CSP](firewall-csp.md) ### [HealthAttestation CSP](healthattestation-csp.md) #### [HealthAttestation DDF](healthattestation-ddf.md) ### [HotSpot CSP](hotspot-csp.md) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 11681a3787..a395891a14 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -1,15 +1,12 @@ --- title: ActiveSync CSP description: ActiveSync CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ActiveSync CSP diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 691947b55a..8aa90d6d7c 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -1,15 +1,12 @@ --- title: ActiveSync DDF file description: ActiveSync DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ActiveSync DDF file diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 3cea96c4cd..e1c6986fe5 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -1,15 +1,12 @@ --- title: Add an Azure AD tenant and Azure AD subscription description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Add an Azure AD tenant and Azure AD subscription diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 196534eb9b..0746ed4175 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -1,15 +1,12 @@ --- title: AllJoynManagement CSP description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # AllJoynManagement CSP diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index d7de78a5f4..ebc2840da3 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -1,15 +1,12 @@ --- title: AllJoynManagement DDF description: AllJoynManagement DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # AllJoynManagement DDF diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 9ed4ad4239..463b2e0c07 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -1,15 +1,12 @@ --- title: APPLICATION configuration service provider description: APPLICATION configuration service provider -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # APPLICATION configuration service provider diff --git a/windows/client-management/mdm/applicationrestrictions-xsd.md b/windows/client-management/mdm/applicationrestrictions-xsd.md index c1c0a561a1..312d90524e 100644 --- a/windows/client-management/mdm/applicationrestrictions-xsd.md +++ b/windows/client-management/mdm/applicationrestrictions-xsd.md @@ -1,15 +1,12 @@ --- title: ApplicationRestrictions XSD description: Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: A5AA2B59-3736-473E-8F70-A90FD61EE426 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ApplicationRestrictions XSD diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index a8104b8cd5..a73544002c 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -1,15 +1,12 @@ --- title: AppLocker CSP description: AppLocker CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # AppLocker CSP diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index d743bc90b9..e332216b02 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,15 +1,12 @@ --- title: AppLocker DDF file description: AppLocker DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # AppLocker DDF file diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index 8a5ed59bcb..1d578d006d 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -1,15 +1,12 @@ --- title: AppLocker XSD description: Here's the XSD for the AppLocker CSP. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # AppLocker XSD diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 1583fe4479..d7f18cf787 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,14 +1,11 @@ --- title: Deploy and configure App-V apps using MDM description: Deploy and configure App-V apps using MDM -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Deploy and configure App-V apps using MDM diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index 0e0aedaff6..b39d6d9cdf 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -1,15 +1,12 @@ --- title: Assign seat description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Assign seat diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index bc9933dc97..aad87ff0e5 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1,15 +1,12 @@ --- title: AssignedAccess CSP description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # AssignedAccess CSP diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 7bff2aad34..4f2fae2306 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,15 +1,12 @@ --- title: AssignedAccess DDF description: AssignedAccess DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # AssignedAccess DDF diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 9c47fe110e..ebdb1d406e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -1,15 +1,12 @@ --- title: Azure Active Directory integration with MDM description: Azure Active Directory is the world largest enterprise cloud identity management service. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: D03B0765-5B5F-4C7B-9E2B-18E747D504EE -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 1c046fef02..308b678f24 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,14 +1,11 @@ --- title: BitLocker CSP description: BitLocker CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # BitLocker CSP @@ -674,7 +671,7 @@ The following example is provided to show proper format and should not be taken 110 - ./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption int diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index dd2461a0fe..2b0491ab35 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,14 +1,11 @@ --- title: BitLocker DDF file description: BitLocker DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # BitLocker DDF file diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 11a4e027aa..86259803e4 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -1,15 +1,12 @@ --- title: BOOTSTRAP CSP description: BOOTSTRAP CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # BOOTSTRAP CSP diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index d14fdefbb2..e762d03a4f 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -1,15 +1,12 @@ --- title: BrowserFavorite CSP description: BrowserFavorite CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # BrowserFavorite CSP diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index b148b5db51..3d370d247f 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -1,15 +1,12 @@ --- title: Bulk assign and reclaim seats from users description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Bulk assign and reclaim seats from users diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 4ce31253a5..dca0fac617 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -4,15 +4,12 @@ description: Bulk enrollment is an efficient way to set up a large number of dev MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: DEB98FF3-CC5C-47A1-9277-9EF939716C87 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 10e529e3a5..2eb3f56669 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -1,15 +1,12 @@ --- title: CellularSettings CSP description: CellularSettings CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CellularSettings CSP diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 367df2f366..06d6f265b6 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -1,15 +1,12 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 57DB3C9E-E4C9-4275-AAB5-01315F9D3910 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Certificate authentication device enrollment diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 0bf2184006..03875bfea6 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -4,15 +4,12 @@ description: The enrolled client certificate expires after a period of use. MS-HAID: - 'p\_phdevicemgmt.certificate\_renewal' - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: F910C50C-FF67-40B0-AAB0-CA7CE02A9619 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Certificate Renewal diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index edb293593a..20bda706fb 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -1,15 +1,12 @@ --- title: CertificateStore CSP description: CertificateStore CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CertificateStore CSP diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index c13145b854..dce1073030 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -1,15 +1,12 @@ --- title: CertificateStore DDF file description: This topic shows the OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: D9A12D4E-3122-45C3-AD12-CC4FFAEC08B8 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CertificateStore DDF file diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index f74ca54b1e..4f2d5cc211 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -1,14 +1,11 @@ --- title: CleanPC CSP description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CleanPC CSP diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index ffee599925..cfbd44cc65 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -1,15 +1,12 @@ --- title: CleanPC DDF description: This topic shows the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CleanPC DDF diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 32c811f242..6391e50c7d 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,15 +1,12 @@ --- title: ClientCertificateInstall CSP description: ClientCertificateInstall CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ClientCertificateInstall CSP diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index ffc094694c..d94173af03 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -1,15 +1,12 @@ --- title: ClientCertificateInstall DDF file description: ClientCertificateInstall DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 7F65D045-A750-4CDE-A1CE-7D152AA060CA -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ClientCertificateInstall DDF file diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 49a14d9096..94a6e27f51 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -1,15 +1,12 @@ --- title: CM\_CellularEntries CSP description: CM\_CellularEntries CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CM\_CellularEntries CSP diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 0b449eaa36..693b4feb34 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -1,15 +1,12 @@ --- title: CM\_ProxyEntries CSP description: CM\_ProxyEntries CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CM\_ProxyEntries CSP diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index baacc5ed3d..e83953965b 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -1,15 +1,12 @@ --- title: CMPolicy CSP description: CMPolicy CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CMPolicy CSP diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 93a0476d26..a3c9b663bf 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -1,15 +1,12 @@ --- title: CMPolicyEnterprise CSP description: CMPolicyEnterprise CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CMPolicyEnterprise CSP diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 0b3d130038..6305ea17c3 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -1,15 +1,12 @@ --- title: CMPolicyEnterprise DDF file description: CMPolicyEnterprise DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CMPolicyEnterprise DDF file diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index a66594ccb7..f92fff6839 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1,957 +1,2332 @@ --- title: Configuration service provider reference description: A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 71823658-951f-4163-9c40-c4d4adceaaec -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Configuration service provider reference A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. -For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). See the [list of CSPs supported in Windows Holographic](#hololens) and the [list of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) for additional information. +For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). -The following table show the configuration service providers supported in Windows 10. +Additional lists: +- [List of CSPs supported in Windows Holographic](#hololens) +- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) +- [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport) +- [List of CSPs supported in Windows 10 S](#windows10s) -> [!Important] -> To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table. +The following tables show the configuration service providers support in Windows 10. + +
+ +## CSP support + + +[APPLICATION CSP](application-csp.md) + + --------- - - - - - - - - - - + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration service providerSupported in Windows 10 ProSupported in Windows 10 BusinessSupported in Windows 10 EnterpriseSupported in Windows 10 EducationSupported in Windows 10 HomeSupported in Windows 10 MobileSupported in Windows 10 Mobile Enterprise
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
[ActiveSync CSP](activesync-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[AllJoynManagement CSP](alljoynmanagement-csp.md)cross markcross markcross markcross markcross markcross mark
[APPLICATION CSP](application-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[AppLocker CSP](applocker-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[AssignedAccess CSP](assignedaccess-csp.md)cross markcheck markcheck markcross markcross markcross mark
[BitLocker CSP](bitlocker-csp.md)cross markcheck mark2check mark2check mark2cross markcheck mark2check mark2
[BOOTSTRAP CSP](bootstrap-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[BrowserFavorite CSP](browserfavorite-csp.md)cross markcross markcross markcross markcross markcross mark
[CellularSettings CSP](cellularsettings-csp.md)check mark2check mark2check mark2check mark2check markcheck mark
[CertificateStore CSP](certificatestore-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[CleanPC CSP](cleanpc-csp.md)cross markcheck mark2check mark2check mark2cross markcross markcross mark
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[CM_CellularEntries CSP](cm-cellularentries-csp.md)check mark2check mark2check mark2check mark2check markcheck mark
[CM_ProxyEntries CSP](cm-proxyentries-csp.md)cross markcross markcross markcross markcheck markcheck mark
[CMPolicy CSP](cmpolicy-csp.md)cross markcross markcross markcross markcheck markcheck mark
[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)cross markcross markcross markcross markcheck mark1check mark1
[CustomDeviceUI CSP](customdeviceui-csp.md)cross markcross markcross markcross markcross markcross mark
[Defender CSP](defender-csp.md)check markcheck markcheck markcheck markcross markcross mark
[DevDetail CSP](devdetail-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[DeveloperSetup CSP](developersetup-csp.md)cross markcross markcross markcross markcross markcross markcross mark
[DeviceInstanceService CSP](deviceinstanceservice-csp.md)cross markcross markcross markcross markcheck markcheck mark
[DeviceLock CSP](devicelock-csp.md)cross markcross markcross markcross markcheck markcheck mark
[DeviceManageability CSP](devicemanageability-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[DeviceStatus CSP](devicestatus-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[DevInfo CSP](devinfo-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[DiagnosticLog CSP](diagnosticlog-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[DMAcc CSP](dmacc-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[DMClient CSP](dmclient-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[DynamicManagement CSP](dynamicmanagement-csp.md)cross markcross markcheck mark2check mark2cross markcheck mark2check mark2
[EMAIL2 CSP](email2-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[EnterpriseAPN CSP](enterpriseapn-csp.md)check mark2check mark2check mark2check mark2check markcheck mark
[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)cross markcross markcross markcross markcheck markcheck mark
[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)cross markcross markcheck mark2check mark2cross markcross markcross mark
[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)cross markcross markcross markcross markcheck markcheck mark
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)check markcheck markcheck markcross markcross markcross mark
[EnterpriseExt CSP](enterpriseext-csp.md)cross markcross markcross markcross markcheck markcheck mark
[EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)cross markcross markcross markcross markcheck markcheck mark
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[FileSystem CSP](filesystem-csp.md)cross markcross markcross markcross markcheck mark -

(Provisioning only)

check mark -

(Provisioning only)

[HealthAttestation CSP](healthattestation-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[HotSpot CSP](hotspot-csp.md)cross markcross markcross markcross markcheck markcheck mark
[Maps CSP](maps-csp.md)cross markcross markcross markcross markcheck markcheck mark
[Messaging CSP](messaging-csp.md)cross markcross markcross markcross markcross markcheck mark2check mark2
[NAP CSP](nap-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[NAPDEF CSP](napdef-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[NetworkProxy CSP](networkproxy-csp.md)check mark2check mark2check mark2check mark2cross markcheck mark2check mark2
[NetworkQoSPolicy CSP](networkqospolicy-csp.md)cross markcross markcross markcross markcross markcross markcross mark
[NodeCache CSP](nodecache-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[Office CSP](office-csp.md)check mark2check mark2check mark2check mark2cross markcross markcross mark
[PassportForWork CSP](passportforwork-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[Policy CSP](policy-configuration-service-provider.md)check markcheck markcheck markcheck markcheck markcheck mark
[Personalization CSP](personalization-csp.md)cross markcross markcheck mark2check mark2cross markcross markcross mark
[PolicyManager CSP](policymanager-csp.md)cross markcross markcross markcross markcheck markcheck mark
[Provisioning CSP](provisioning-csp.md)check mark -

(Provisioning only)

check mark -

(Provisioning only)

check mark -

(Provisioning only)

check mark -

(Provisioning only)

check mark -

(Provisioning only)

check mark -

(Provisioning only)

[PROXY CSP](proxy-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[PXLOGICAL CSP](pxlogical-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[Reboot CSP](reboot-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[Registry CSP](registry-csp.md)cross markcross markcross markcross markcheck markcheck mark
[RemoteFind CSP](remotefind-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[RemoteLock](remotelock-csp.md)cross markcross markcross markcross markcheck markcheck mark
[RemoteRing CSP](remotering-csp.md)cross markcross markcross markcross markcheck markcheck mark
[RemoteWipe CSP](remotewipe-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[Reporting CSP](reporting-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[RootCATrustedCertificates CSP](rootcacertificates-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[SecureAssessment CSP](secureassessment-csp.md)check mark1check mark1check mark1cross markcross markcross mark
[SecurityPolicy CSP](securitypolicy-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[SharedPC CSP](sharedpc-csp.md)check mark1check mark1check mark1cross markcross markcross mark
[Storage CSP](storage-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[SUPL CSP](supl-csp.md)check markcheck markcheck markcross markcheck markcheck mark
[SurfaceHub](surfacehub-csp.md)
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)cross markcheck markcheck markcross markcross markcross mark
[Update CSP](update-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[VPN CSP](vpn-csp.md)cross markcross markcross markcross markcheck markcheck mark
[VPNv2 CSP](vpnv2-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[W4 APPLICATION CSP](w4-application-csp.md)check mark
[w7 APPLICATION CSP](w7-application-csp.md)check mark
[WiFi CSP](wifi-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[Win32AppInventory CSP](win32appinventory-csp.md)check mark1check mark1check mark1cross markcross markcross mark
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)check mark1check mark1check mark1cross markcross markcross mark
[WindowsLicensing CSP](windowslicensing-csp.md)check markcheck markcheck markcheck markcheck markcheck mark
[WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)cross markcross markcross markcross markcheck markcheck mark
+ + + + +[ActiveSync CSP](activesync-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[AllJoynManagement CSP](alljoynmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross mark
+ + + + + +[AppLocker CSP](applocker-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[AssignedAccess CSP](assignedaccess-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcross markcross mark
+ + + + + +[BOOTSTRAP CSP](bootstrap-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[BitLocker CSP](bitlocker-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark2check mark2check mark2check mark2check mark2
+ + + + + +[BrowserFavorite CSP](browserfavorite-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross mark
+ + + + + +[CMPolicy CSP](cmpolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck mark1check mark1
+ + + + + +[CM_CellularEntries CSP](cm-cellularentries-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check markcheck mark
+ + + + + +[CM_ProxyEntries CSP](cm-proxyentries-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[CellularSettings CSP](cellularsettings-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check markcheck mark
+ + + + + +[CertificateStore CSP](certificatestore-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[CleanPC CSP](cleanpc-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark2check mark2check mark2cross markcross mark
+ + + + + +[ClientCertificateInstall CSP](clientcertificateinstall-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[CustomDeviceUI CSP](customdeviceui-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross mark
+ + + + + +[DMAcc CSP](dmacc-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DMClient CSP](dmclient-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Defender CSP](defender-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + + + +[DevDetail CSP](devdetail-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DevInfo CSP](devinfo-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DeveloperSetup CSP](developersetup-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross markcross mark
+ + + + + +[DeviceInstanceService CSP](deviceinstanceservice-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[DeviceLock CSP](devicelock-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[DeviceManageability CSP](devicemanageability-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DeviceStatus CSP](devicestatus-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DiagnosticLog CSP](diagnosticlog-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DynamicManagement CSP](dynamicmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark2check mark2check mark2check mark2
+ + + + + +[EMAIL2 CSP](email2-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[EnterpriseAPN CSP](enterpriseapn-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check markcheck mark
+ + + + + +[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark2check mark2cross markcross mark
+ + + + + +[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + + + +[EnterpriseExt CSP](enterpriseext-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[FileSystem CSP](filesystem-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck mark (Provisioning only)check mark (Provisioning only)
+ + + + + +[HealthAttestation CSP](healthattestation-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[HotSpot CSP](hotspot-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[Maps CSP](maps-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[Messaging CSP](messaging-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
+ + + + + +[NAP CSP](nap-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[NAPDEF CSP](napdef-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[NetworkProxy CSP](networkproxy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + + + +[NetworkQoSPolicy CSP](networkqospolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross markcross mark
+ + + + + +[NodeCache CSP](nodecache-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Office CSP](office-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + + + +[PROXY CSP](proxy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[PXLOGICAL CSP](pxlogical-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[PassportForWork CSP](passportforwork-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Personalization CSP](personalization-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark2check mark2cross markcross mark
+ + + + + +[Policy CSP](policy-configuration-service-provider.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[PolicyManager CSP](policymanager-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[Provisioning CSP](provisioning-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)
+ + + + + +[Reboot CSP](reboot-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Registry CSP](registry-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[RemoteFind CSP](remotefind-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[RemoteLock](remotelock-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[RemoteRing CSP](remotering-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[RemoteWipe CSP](remotewipe-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Reporting CSP](reporting-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[RootCATrustedCertificates CSP](rootcacertificates-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SUPL CSP](supl-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SecureAssessment CSP](secureassessment-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[SecurityPolicy CSP](securitypolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SharedPC CSP](sharedpc-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[Storage CSP](storage-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SurfaceHub](surfacehub-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
+ + + + + +[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcross markcross mark
+ + + + + +[Update CSP](update-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[VPN CSP](vpn-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[VPNv2 CSP](vpnv2-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[W4 APPLICATION CSP](w4-application-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark
+ + + + + +[WiFi CSP](wifi-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Win32AppInventory CSP](win32appinventory-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[WindowsLicensing CSP](windowslicensing-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[w7 APPLICATION CSP](w7-application-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark
+ + + + +
+ +  Footnotes: - 1 - Added in Windows 10, version 1607 @@ -1057,4 +2432,55 @@ Footnotes: - [RootCATrustedCertificates CSP](rootcacertificates-csp.md) - [Update CSP](update-csp.md) - [VPNv2 CSP](vpnv2-csp.md) -- [WiFi CSP](wifi-csp.md) \ No newline at end of file +- [WiFi CSP](wifi-csp.md) + +## CSPs supported in Windows 10 S + +The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that Office CSP and EnterpriseDesktop CSP are not available in Windows 10 S. Here is the list: + +- [ActiveSync CSP](activesync-csp.md) +- [APPLICATION CSP](application-csp.md) +- [AppLocker CSP](applocker-csp.md) +- [BOOTSTRAP CSP](bootstrap-csp.md) +- [CellularSettings CSP](cellularsettings-csp.md) +- [CertificateStore CSP](certificatestore-csp.md) +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +- [CM_CellularEntries CSP](cm-cellularentries-csp.md) +- [Defender CSP](defender-csp.md) +- [DevDetail CSP](devdetail-csp.md) +- [DeviceManageability CSP](devicemanageability-csp.md) +- [DeviceStatus CSP](devicestatus-csp.md) +- [DevInfo CSP](devinfo-csp.md) +- [DiagnosticLog CSP](diagnosticlog-csp.md) +- [DMAcc CSP](dmacc-csp.md) +- [DMClient CSP](dmclient-csp.md) +- [EMAIL2 CSP](email2-csp.md) +- [EnterpriseAPN CSP](enterpriseapn-csp.md) +- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +- [HealthAttestation CSP](healthattestation-csp.md) +- [NAP CSP](nap-csp.md) +- [NAPDEF CSP](napdef-csp.md) +- [NetworkProxy CSP](networkproxy-csp.md) +- [NodeCache CSP](nodecache-csp.md) +- [PassportForWork CSP](passportforwork-csp.md) +- [Policy CSP](policy-configuration-service-provider.md) +- [Provisioning CSP](provisioning-csp.md) +- [PROXY CSP](proxy-csp.md) +- [PXLOGICAL CSP](pxlogical-csp.md) +- [Reboot CSP](reboot-csp.md) +- [RemoteFind CSP](remotefind-csp.md) +- [RemoteWipe CSP](remotewipe-csp.md) +- [Reporting CSP](reporting-csp.md) +- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [SecureAssessment CSP](secureassessment-csp.md) +- [SecurityPolicy CSP](securitypolicy-csp.md) +- [SharedPC CSP](sharedpc-csp.md) +- [Storage CSP](storage-csp.md) +- [SUPL CSP](supl-csp.md) +- [Update CSP](update-csp.md) +- [VPNv2 CSP](vpnv2-csp.md) +- [WiFi CSP](wifi-csp.md) +- [Win32AppInventory CSP](win32appinventory-csp.md) +- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +- [WindowsLicensing CSP](windowslicensing-csp.md) diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md index c2611732f7..1d424f8364 100644 --- a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md @@ -1,15 +1,12 @@ --- title: Create a custom configuration service provider description: Create a custom configuration service provider -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 0cb37f03-5bf2-4451-8276-23f4a1dee33f -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Create a custom configuration service provider diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 383d5c9222..955159f333 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -1,15 +1,12 @@ --- title: CustomDeviceUI CSP description: CustomDeviceUI CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CustomDeviceUI CSP diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 062cbc615c..d44a97a49e 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -1,15 +1,12 @@ --- title: CustomDeviceUI DDF description: CustomDeviceUI DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # CustomDeviceUI DDF diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 0232b01dbe..18b093df38 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -3,16 +3,13 @@ title: Data structures for Windows Store for Business MS-HAID: - 'p\_phdevicemgmt.business\_store\_data\_structures' - 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ABE44EC8-CBE5-4775-BA8A-4564CB73531B description: -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Data structures for Windows Store for Business diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 4bd4c9f828..71e91e480e 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,15 +1,12 @@ --- title: Defender CSP description: Defender CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Defender CSP diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 007b3ddb41..f6856761c6 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,15 +1,12 @@ --- title: Defender DDF file description: Defender DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Defender DDF file diff --git a/windows/client-management/mdm/design-a-custom-windows-csp.md b/windows/client-management/mdm/design-a-custom-windows-csp.md index a774358ba9..ed969ccbee 100644 --- a/windows/client-management/mdm/design-a-custom-windows-csp.md +++ b/windows/client-management/mdm/design-a-custom-windows-csp.md @@ -4,15 +4,12 @@ description: Design a custom configuration service provider MS-HAID: - 'p\_phDeviceMgmt.designing\_a\_custom\_configuration\_service\_provider' - 'p\_phDeviceMgmt.design\_a\_custom\_windows\_csp' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 0fff9516-a71a-4036-a57b-503ef1a81a37 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Design a custom configuration service provider diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 7995dfe17d..40ee770991 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -1,15 +1,12 @@ --- title: DevDetail CSP description: DevDetail CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DevDetail CSP diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 44978a8d9f..e7fbbcac7a 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -1,15 +1,12 @@ --- title: DevDetail DDF file description: DevDetail DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DevDetail DDF file diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 2d0adc299e..1a00b5f67c 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -1,15 +1,12 @@ --- title: DeveloperSetup CSP description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the next major update of Windows 10. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeveloperSetup CSP diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index b5f6b24d0a..b9a3348cca 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -1,15 +1,12 @@ --- title: DeveloperSetup DDF file description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeveloperSetup DDF file diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 4b038d4122..724d2abe69 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -1,15 +1,12 @@ --- title: Device update management description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index d79ad2c02d..55339fb966 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -1,15 +1,12 @@ --- title: DeviceInstanceService CSP description: DeviceInstanceService CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeviceInstanceService CSP diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 38770ab2e9..47a36d95c3 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -1,15 +1,12 @@ --- title: DeviceLock CSP description: DeviceLock CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeviceLock CSP diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index b5e4ffdda4..466bcbbf38 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -1,15 +1,12 @@ --- title: DeviceLock DDF file description: DeviceLock DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeviceLock DDF file diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 32076d5301..8adc363d59 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -1,15 +1,12 @@ --- title: DeviceManageability CSP description: The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeviceManageability CSP diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index e09aa33beb..1adb50855e 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -1,15 +1,12 @@ --- title: DeviceManageability DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: D7FA8D51-95ED-40D2-AA84-DCC4BBC393AB -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeviceManageability DDF diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 5402d8bf31..e89043b5c1 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -1,15 +1,12 @@ --- title: DeviceStatus CSP description: The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeviceStatus CSP diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 54ca1a523e..b0e6ad935c 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,15 +1,12 @@ --- title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 780DC6B4-48A5-4F74-9F2E-6E0D88902A45 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DeviceStatus DDF diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index 221125f2b6..b11d4a12cf 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -1,15 +1,12 @@ --- title: DevInfo CSP description: DevInfo CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DevInfo CSP diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 8e41569f6f..0ee45fd363 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -1,15 +1,12 @@ --- title: DevInfo DDF file description: DevInfo DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DevInfo DDF file diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index b64b4d7e22..d4c94639bd 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -1,15 +1,12 @@ --- title: Diagnose MDM failures in Windows 10 description: To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 12D8263B-D839-4B19-9346-31E0CDD0CBF9 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Diagnose MDM failures in Windows 10 diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 9ca2099bf6..da0d026cab 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -1,15 +1,12 @@ --- title: DiagnosticLog CSP description: DiagnosticLog CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DiagnosticLog CSP diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index eac5538d83..48154f0bad 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -1,15 +1,12 @@ --- title: DiagnosticLog DDF description: DiagnosticLog DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DiagnosticLog DDF diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index f9d18d62b9..29889b69f1 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -4,15 +4,12 @@ description: Disconnecting may be initiated either locally by the user from the MS-HAID: - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 33B2B248-631B-451F-B534-5DA095C4C8E8 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index d88c945408..df7701702a 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -1,15 +1,12 @@ --- title: DMAcc CSP description: DMAcc CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DMAcc CSP diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index ec803dc8cc..dbca78b881 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -1,15 +1,12 @@ --- title: DMAcc DDF file description: DMAcc DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DMAcc DDF file diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index ef09308e53..59c7ae444e 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -1,15 +1,12 @@ --- title: DMClient CSP description: The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DMClient CSP diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 1e585b2aae..85bc763412 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,15 +1,12 @@ --- title: DMClient DDF file description: DMClient DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DMClient DDF file diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index b4cb648b0b..c78e43cc7d 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -1,9 +1,6 @@ --- title: DMProcessConfigXMLFiltered function description: Configures phone settings by using OMA Client Provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' Search.Refinement.TopicID: 184 ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F keywords: ["DMProcessConfigXMLFiltered function"] @@ -15,11 +12,11 @@ api_location: - dmprocessxmlfiltered.dll api_type: - DllExport -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DMProcessConfigXMLFiltered function diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index ac58e9d890..17fa2ec201 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,14 +1,11 @@ --- title: DMSessionActions CSP description: DMSessionActions CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DMSessionActions CSP diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index 02f826d653..1983b804cc 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -1,14 +1,11 @@ --- title: DMSessionActions DDF file description: DMSessionActions DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DMSessionActions DDF file diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 0d1719a0f7..b0a286169f 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -1,14 +1,11 @@ --- title: DynamicManagement CSP description: DynamicManagement CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DynamicManagement CSP diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 85d5d0d84d..c1b15243de 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -1,15 +1,12 @@ --- title: DynamicManagement DDF file description: DynamicManagement DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # DynamicManagement DDF file diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 73dba1be35..23d7112ba0 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -1,15 +1,12 @@ --- title: EAP configuration description: The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EAP configuration diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 0447cef4b7..54fe0d1273 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -1,15 +1,12 @@ --- title: EMAIL2 CSP description: EMAIL2 CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EMAIL2 CSP diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index c43030646c..58614e459a 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -1,15 +1,12 @@ --- title: EMAIL2 DDF file description: EMAIL2 DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EMAIL2 DDF file diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 3ba2111904..6fc5284a64 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -1,15 +1,12 @@ --- title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices description: Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index 39b6750b5c..d6b71a088d 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -1,15 +1,12 @@ --- title: Enterprise app management description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Enterprise app management diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index b68a89083d..c61db977e9 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseAPN CSP description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAPN CSP diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 80ddc0cd38..8d656ebb72 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -1,15 +1,12 @@ --- title: EnterpriseAPN DDF description: EnterpriseAPN DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAPN DDF diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index bc20aed7de..4067c76438 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseAppManagement CSP description: EnterpriseAppManagement CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 698b8bf4-652e-474b-97e4-381031357623 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAppManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 18fc2e083f..17b4288eb5 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,14 +1,11 @@ --- title: EnterpriseAppVManagement CSP description: EnterpriseAppVManagement CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAppVManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 05d5811f5b..19c14ddfc4 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -1,14 +1,11 @@ --- title: EnterpriseAppVManagement DDF file description: EnterpriseAppVManagement DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAppVManagement DDF file diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 36a8f79379..ed4d8e0a6e 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseAssignedAccess CSP description: EnterpriseAssignedAccess CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAssignedAccess CSP @@ -19,9 +16,8 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. -  -For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). +To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. @@ -47,137 +43,103 @@ When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters. -  +Entry | Description +----------- | ------------ +ActionCenter | You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center. +ActionCenter | Example: `` +ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md) +ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `` +ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `` +StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx. +StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `Large` +Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid). +Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `` +Application | modern app notification +Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically. + +Application example: +``` syntax + + + Large + + 0 + 2 + + + +``` + +Entry | Description +----------- | ------------ +Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar. + +Application example: +``` syntax + + + + + Large + + 1 + 4 + + + + + + + Large + + 1 + 6 + + + + +``` + +Entry | Description +----------- | ------------ +Folder | A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder. + +Folder example: +``` syntax + + + Large + + 0 + 2 + + + +``` +An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder. + +``` syntax + + + Medium + + 0 + 0 + + 2 + + +``` + +Entry | Description +----------- | ------------ +Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file. + +> [!Important] +> Do not specify a group entry without a page entry because it will cause an undefined behavior. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EntryDescription

ActionCenter

You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.

-

Example:

-
<ActionCenter enabled="true"></ActionCenter>
-

In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled:

-
    -
  • AboveLock/AllowActionCenterNotifications
    • -
  • AboveLock/AllowToasts
    • -
-

For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)

-

You can also add the following optional attributes to the ActionCenter element to override the default behavior:

-
    -
  • aboveLockToastEnabled
    • -
  • actionCenterNotificationEnabled
    • -
-

Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled).

-

In this example, the Action Center is enabled and both policies are disabled.

-
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
-

These optional attributes are independent of each other.

-

In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set.

-
<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>

StartScreenSize

Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions.

-

Valid values:

-
    -
  • Small sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx.
    • -
  • Large sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx.
    • -
-

If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.

-

Example:

-
<StartScreenSize>Large</StartScreenSize>

Application

Provide the product ID for each app that will be available on the device.

-

You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).

-

To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface.

-
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>
-modern app notification -

Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.

-

For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 indicates the first column, a value of 1 indicates the second column, and so on.

-

Include autoRun as an attribute to configure the application to run automatically.

-

Example:

-
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}" autoRun="true">
-   <PinToStart>
-      <Size>Large</Size>
-      <Location>
-         <LocationX>0</LocationX>
-         <LocationY>2</LocationY>
-      </Location>
-   </PinToStart>
-</Application>
-

Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior.

-

To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.

-
<Apps>
-    <!-- Outlook Calendar -->
-    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
-aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
-        <PinToStart>
-            <Size>Large</Size>
-            <Location>
-                <LocationX>1</LocationX>
-                <LocationY>4</LocationY>
-            </Location>
-        </PinToStart>
-    </Application>
-    <!-- Outlook Mail-->
-    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
-aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
-        <PinToStart>
-            <Size>Large</Size>
-            <Location>
-                <LocationX>1</LocationX>
-                <LocationY>6</LocationY>
-            </Location>
-        </PinToStart>
-    </Application>
-</Apps>

Folder

A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, folderId is mandatory, folderName is optional, which is the folder name displayed on Start. folderId is a unique unsigned integer for each folder.

-

For example:

-
<Application folderId="4" folderName="foldername">
-    <PinToStart>
-        <Size>Large</Size>
-        <Location>
-            <LocationX>0</LocationX>
-            <LocationY>2</LocationY>
-        </Location>
-    </PinToStart>
-</Application>
-

An application that belongs in the folder would add an optional attribute ParentFolderId, which maps to folderId of the folder. In this case, the location of this application will be located inside the folder.

-
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-    <PinToStart>
-        <Size>Medium</Size>
-        <Location>
-            <LocationX>0</LocationX>
-            <LocationY>0</LocationY>
-        </Location>
-        <ParentFolderId>2</ParentFolderId>
-    </PinToStart>
-</Application>

Settings

Settings pages

-

Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.

-
-Important  Do not specify a group entry without a page entry because it will cause an undefined behavior. -
-
-  -
  • System (main menu) - SettingsPageGroupPCSystem
      @@ -281,9 +243,14 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
    • Extensibility - SettingsPageExtensibility
-

Quick action settings

-

Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).

-

Note: Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.

+ +**Quick action settings** + +Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). + +> [!Note] +> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703. +

  • SystemSettings_System_Display_QuickAction_Brightness

    Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay

    • @@ -318,277 +285,265 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl

  • SystemSettings_QuickAction_Camera

    Dependencies - none

-

In this example, all settings pages and quick action settings are allowed. An empty <Settings> node indicates that none of the settings are blocked.

-
<Settings>
-</Settings>
-

In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.

-
<Settings> 
-  <System name="SettingsPageGroupPCSystem" /> 
-  <System name="SettingsPageDisplay" /> 
-  <System name="SettingsPageAppsNotifications" />
-  <System name="SettingsPageCalls" />
-  <System name="SettingsPageMessaging" /> 
-  <System name="SettingsPageBatterySaver" /> 
-  <System name="SettingsPageStorageSenseStorageOverview" />
-  <System name="SettingsPageGroupPCSystemDeviceEncryption" /> 
-  <System name="SettingsPageDrivingMode" /> 
-  <System name="SettingsPagePCSystemInfo" /> 
- </Settings>
-

To remove access to all of the settings in the system, the settings application would simply not be listed in the app list for a particular role.

Buttons

The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen.

+ +In this example, all settings pages and quick action settings are allowed. An empty \ node indicates that none of the settings are blocked. + +``` syntax + + +``` + +In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names. + +``` syntax + + + + + + + + + + + + +``` + +Entry | Description +----------- | ------------ +Buttons | The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen. +

  • Start

    -
    -Note   -

    Lock down of the Start button only prevents the press and hold event.

    -
    -
    -  -

  • Back

  • Search

  • Camera

  • Custom1

  • Custom2

    • -

  • Custom3

    -
    -Note   -

    Custom buttons are hardware buttons that can be added to devices by OEMs.

    -
    -
    -  -
    • +

  • Custom3

-

Example:

-
<Buttons>
-   <ButtonLockdownList>
-      <!-- Lockdown all buttons -->
-         <Button name="Search">
-         </Button>
-         <Button name="Camera">
-         </Button>
-         <Button name="Custom1">
-         </Button>
-         <Button name="Custom2">
-         </Button>
-         <Button name="Custom3">
-         </Button>
-   </ButtonLockdownList>
-

The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users.

-
-Note   -

The lockdown settings for a button, per user role, will apply regardless of the button mapping.

-
-
-  -
-
-Warning   -

Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.

-
-
-  -
-

To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open.

-

Example:

-
<ButtonRemapList>
-   <Button name="Search">
-      <ButtonEvent name="Press">
-         <!-- Alarms -->
-         <Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
-          </ButtonEvent>
-   </Button>
-</ButtonRemapList>
-

Disabling navigation buttons

-

To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").

-

The following section contains a sample lockdown XML file that shows how to disable navigation buttons.

-

Example:

-
<?xml version="1.0" encoding="utf-8"?>
-<HandheldLockdown version="1.0" >
-    <Default>
-        <ActionCenter enabled="false" />
-        <Apps>
-            <!-- Settings -->
-            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-                <PinToStart>
-                    <Size>Large</Size>
-                    <Location>
-                        <LocationX>0</LocationX>
-                        <LocationY>0</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
 
-            <!-- Phone Apps -->
-            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
-                <PinToStart>
-                    <Size>Small</Size>
-                    <Location>
-                        <LocationX>2</LocationX>
-                        <LocationY>2</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
-        </Apps>
-        <Buttons>
-            <ButtonLockdownList>
-                <Button name="Start">
-                    <ButtonEvent name="Press" />
-                </Button>
-                <Button name="Back">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Search">
-                    <ButtonEvent name="All" />
-                </Button>
-                <Button name="Camera">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom1">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom2">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom3">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-            </ButtonLockdownList>
-            <ButtonRemapList />
-        </Buttons>
-        <MenuItems>
-            <DisableMenuItems/>
-        </MenuItems>
-        <Settings>
-        </Settings>
-        <Tiles>
-            <EnableTileManipulation/>
-        </Tiles>
-        <StartScreenSize>Small</StartScreenSize>
-    </Default>
-</HandheldLockdown>

MenuItems

Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.

-

Example:

-
<MenuItems>
-   <DisableMenuItems/>
-</MenuItems>
-
-Important   -

If DisableMenuItems is not included in a profile, users of that profile can uninstall apps.

-
-
-  -

Tiles

Turning-on tile manipulation

-

By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile.

-

If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.

-
-Important   -

If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.

-
-
-  -
-

The following sample file contains configuration for enabling tile manipulation.

-
-Note   -

Tile manipulation is disabled when you don’t have a <Tiles> node in lockdown XML, or if you have a <Tiles> node but don’t have the <EnableTileManipulation/> node.

-
-
-  -
-

Example:

-
<?xml version="1.0" encoding="utf-8"?>
-<HandheldLockdown version="1.0" >
-    <Default>
-        <ActionCenter enabled="false" />
-        <Apps>
-            <!-- Settings -->
-            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-                <PinToStart>
-                    <Size>Large</Size>
-                    <Location>
-                        <LocationX>0</LocationX>
-                        <LocationY>0</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
+> [!Note]  
+> Lock down of the Start button only prevents the press and hold event.  
+>
+> Custom buttons are hardware buttons that can be added to devices by OEMs.
 
-            <!-- Phone Apps -->
-            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
-                <PinToStart>
-                    <Size>Small</Size>
-                    <Location>
-                        <LocationX>2</LocationX>
-                        <LocationY>2</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
-        </Apps>
-        <Buttons>
-            <ButtonLockdownList>
-                <Button name="Start">
-                    <ButtonEvent name="Press" />
-                </Button>
-                <Button name="Back">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Search">
-                    <ButtonEvent name="All" />
-                </Button>
-                <Button name="Camera">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom1">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom2">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom3">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-            </ButtonLockdownList>
-            <ButtonRemapList />
-        </Buttons>
-        <MenuItems>
-            <DisableMenuItems/>
-        </MenuItems>
-        <Settings>
-        </Settings>
-        <Tiles>
-            <EnableTileManipulation/>
-        </Tiles>
-        <StartScreenSize>Small</StartScreenSize>
-    </Default>
-</HandheldLockdown>

CSP Runner

Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.

+Buttons example: +``` syntax + + + + + + + + + +``` +The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users. +> [!Note] +> The lockdown settings for a button, per user role, will apply regardless of the button mapping. +> +> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role. + +To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open. + +``` syntax + + + +``` +**Disabling navigation buttons** +To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press"). + +The following section contains a sample lockdown XML file that shows how to disable navigation buttons. + +``` syntax + + + + + + + + + Large + + 0 + 0 + + + + + + + + Small + + 2 + 2 + + + + + + + + + + + + + + + + + + + + + + + + + Small + + +``` + +Entry | Description +----------- | ------------ +MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create. + +> [!Important] +> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps. + +MenuItems example: + +``` syntax + + + +``` + +Entry | Description +----------- | ------------ +Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. + +> [!Important] +> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. + +The following sample file contains configuration for enabling tile manipulation. + +> [!Note] +> Tile manipulation is disabled when you don’t have a `` node in lockdown XML, or if you have a `` node but don’t have the `` node. + +``` syntax + + + + + + + + + Large + + 0 + 0 + + + + + + + + Small + + 2 + 2 + + + + + + + + + + + + + + + + + + + + + + + + + Small + + +``` + +Entry | Description +----------- | ------------ +CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.   **LockscreenWallpaper/** @@ -737,6 +692,8 @@ Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CS **Clock/TimeZone/** An integer that specifies the time zone of the device. The following table shows the possible values. +Supported operations are Get and Replace. + @@ -1164,9 +1121,6 @@ An integer that specifies the time zone of the device. The following table shows
-  - -Supported operations are Get and Replace. **Locale/Language/** The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567). @@ -1175,8 +1129,6 @@ The language setting is configured in the Default User profile only. > **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required. -  - Supported operations are Get and Replace. ## OMA client provisioning examples diff --git a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md index 8612e7474d..f98ed740fe 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md @@ -1,15 +1,12 @@ --- title: EnterpriseAssignedAccess DDF description: EnterpriseAssignedAccess DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 8BD6FB05-E643-4695-99A2-633995884B37 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAssignedAccess DDF diff --git a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md index f1ca1209d9..6d19a5aedd 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md @@ -1,15 +1,12 @@ --- title: EnterpriseAssignedAccess XSD description: EnterpriseAssignedAccess XSD -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseAssignedAccess XSD diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 4f92f7850b..d75ed17826 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseDataProtection CSP description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseDataProtection CSP diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index 496f553310..a7914046b2 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -1,15 +1,12 @@ --- title: EnterpriseDataProtection DDF file description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: C6427C52-76F9-4EE0-98F9-DE278529D459 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseDataProtection DDF file diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index d3bdfb8e84..bc056caa35 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseDesktopAppManagement CSP description: The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseDesktopAppManagement CSP diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 3b4164d39c..5bd96246ec 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -1,15 +1,12 @@ --- title: EnterpriseDesktopAppManagement DDF description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: EF448602-65AC-4D59-A0E8-779876542FE3 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseDesktopAppManagement DDF diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md index bb50c5d323..d5e415b890 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -1,15 +1,12 @@ --- title: EnterpriseDesktopAppManagement XSD description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 60980257-4F48-4A68-8E8E-1EF0A3F090E2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseDesktopAppManagement XSD diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index 867a193685..2bb98165d4 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseExt CSP description: EnterpriseExt CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseExt CSP diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md index 76b9534272..06bc4c0198 100644 --- a/windows/client-management/mdm/enterpriseext-ddf.md +++ b/windows/client-management/mdm/enterpriseext-ddf.md @@ -1,15 +1,12 @@ --- title: EnterpriseExt DDF description: EnterpriseExt DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseExt DDF diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 9cc709a3a7..f6b332a182 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseExtFileSystem CSP description: EnterpriseExtFileSystem CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseExtFileSystem CSP diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md index 14ac906b77..dc371ba33a 100644 --- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md +++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md @@ -1,15 +1,12 @@ --- title: EnterpriseExtFileSystem DDF description: EnterpriseExtFileSystem DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseExtFileSystem DDF diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 85be2efaa7..23fea75c17 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,15 +1,12 @@ --- title: EnterpriseModernAppManagement CSP description: EnterpriseModernAppManagement CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseModernAppManagement CSP diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 18c8f75db8..4da9c4b384 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -1,15 +1,12 @@ --- title: EnterpriseModernAppManagement DDF description: EnterpriseModernAppManagement DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseModernAppManagement DDF diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index eb5fdeb742..74d0c2cb31 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -1,15 +1,12 @@ --- title: EnterpriseModernAppManagement XSD description: Here is the XSD for the application parameters. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # EnterpriseModernAppManagement XSD diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 188c3894f9..4855aaefd7 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -1,15 +1,12 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 049ECA6E-1AF5-4CB2-8F1C-A5F22D722DAA -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Federated authentication device enrollment diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 569737c50a..7b22236bf3 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -1,15 +1,12 @@ --- title: FileSystem CSP description: FileSystem CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # FileSystem CSP diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md new file mode 100644 index 0000000000..b0553d3220 --- /dev/null +++ b/windows/client-management/mdm/firewall-csp.md @@ -0,0 +1,246 @@ +--- +title: Firewall CSP +description: Firewall CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Firewall CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. + +Firewall configuration commands must be wrapped in an Atomic block in SyncML. + +The following diagram shows the Firewall configuration service provider in tree format. + +![firewall csp](images/provisioning-csp-firewall.png) + +**./Vendor/MSFT/Firewall** +

Root node for the Firewall configuration service provider.

+ +**MdmStore** +

Interior node.

+

Supported operation is Get.

+ +**MdmStore/Global** +

Interior node.

+

Supported operations are Get and Replace.

+ +**MdmStore/Global/PolicyVersionSupported** +

DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

+

Value type in integer. Supported operation is Get.

+ +**MdmStore/Global/CurrentProfiles** +

DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

+

Value type in integer. Supported operation is Get.

+ +**MdmStore/Global/DisableStatefulFtp** +

This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.

+

Boolean value. Supported operations are Get and Replace.

+ +**MdmStore/Global/SaIdleTime** +

This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/TPresharedKeyEncodingBD** +

Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/IPsecExempt** +

This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/CRLcheck** +

This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/PolicyVersion** +

This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

+

Value type is string. Supported operation is Get.

+ +**MdmStore/Global/BinaryVersionSupported** +

This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

+

Value type is string. Supported operation is Get.

+ +**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** +

This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

+

Boolean value. Supported operations are Get and Replace.

+ +**MdmStore/Global/EnablePacketQueue** +

This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/DomainProfile** +

Interior node. Supported operation is Get.

+ +**MdmStore/PrivateProfile** +

Interior node. Supported operation is Get.

+ +**MdmStore/PublicProfile** +

Interior node. Supported operation is Get.

+ +**/EnableFirewall** +

This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableStealthMode** +

This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/Shielded** +

This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableUnicastResponsesToMulticastBroadcast** +

This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableInboundNotifications** +

This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AuthAppsAllowUserPrefMerge** +

This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/GlobalPortsAllowUserPrefMerge** +

This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AllowLocalPolicyMerge** +

This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AllowLocalIpsecPolicyMerge** +

This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DefaultOutboundAction** +

This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DefaultInboundAction** +

This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableStealthModeIpsecSecuredPacketExemption** +

This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**FirewallRules** +

A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

+ +**FirewallRules/_FirewallRuleName_** +

Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

+ +**FirewallRules/_FirewallRuleName_/App** +

Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

+
    +
  • PackageFamilyName
    • +
  • FilePath
    • +
  • FQBN
    • +
  • ServiceName
    • +
+

Supported operation is Get.

+ +**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** +

This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/FilePath** +

This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/Fqbn** +

Fully Qualified Binary Name

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/ServiceName** +

This is a service name used in cases when a service, not an application, is sending or receiving traffic.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Protocol** +

0-255 number representing the ip protocol (TCP = 6, UDP = 17)

+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalPortRanges** +

Comma separated list of ranges. For example, 100-120,200,300-320.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/RemotePortRanges** +

Comma separated list of ranges, For example, 100-120,200,300-320.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalAddressRanges** +

Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:

+
    +
  • "\*" indicates any local address. If present, this must be the only token included.
    • +
  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
    • +
  • A valid IPv6 address.
    • +
  • An IPv4 address range in the format of "start address - end address" with no spaces included.
    • +
  • An IPv6 address range in the format of "start address - end address" with no spaces included.
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/RemoteAddressRanges** +

List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:

+
    +
  • "\*" indicates any remote address. If present, this must be the only token included.
    • +
  • "Defaultgateway"
    • +
  • "DHCP"
    • +
  • "DNS"
    • +
  • "WINS"
    • +
  • "Intranet"
    • +
  • "RemoteCorpNetwork"
    • +
  • "Internet"
    • +
  • "PlayToRenderers"
    • +
  • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
    • +
  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
    • +
  • A valid IPv6 address.
    • +
  • An IPv4 address range in the format of "start address - end address" with no spaces included.
    • +
  • An IPv6 address range in the format of "start address - end address" with no spaces included.
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Description** +

Specifies the description of the rule.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Enabled** +

Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default.

+

Boolean value. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Action** +

Specifies the action for the rule.

+

Supported operation is Get.

+ +**FirewallRules/_FirewallRuleName_/Action/Type** +

Specifies the action the rule enforces. Supported values:

+
    +
  • 0 - Block
    • +
  • 1 - Allow
    • +
+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** +

List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList** +

Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/FriendlyName** +

Specifies the friendly name of the rule. The string must not contain the "|" character.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Name** +

Name of the rule.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index 8305769663..405f3c7a29 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -4,15 +4,12 @@ description: The Get Inventory operation retrieves information from the Windows MS-HAID: - 'p\_phdevicemgmt.get\_seatblock' - 'p\_phDeviceMgmt.get\_inventory' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: C5485722-FC49-4358-A097-74169B204E74 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get Inventory diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index d9ef11678f..16f29cb848 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -1,15 +1,12 @@ --- title: Get localized product details description: The Get localized product details operation retrieves the localization information of a product from the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get localized product details diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 8877b2cf4e..cf3a27b38c 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -1,15 +1,12 @@ --- title: Get offline license description: The Get offline license operation retrieves the offline license information of a product from the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get offline license diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index c05f6502b7..c602332f9b 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -1,15 +1,12 @@ --- title: Get product details description: The Get product details operation retrieves the product information from the Windows Store for Business for a specific application. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: BC432EBA-CE5E-43BD-BD54-942774767286 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get product details diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index 448c3933a2..ef80b65d3b 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -1,15 +1,12 @@ --- title: Get product package description: The Get product package operation retrieves the information about a specific application in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get product package diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 448a755ac2..24d354e7c2 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -1,15 +1,12 @@ --- title: Get product packages description: The Get product packages operation retrieves the information about applications in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get product packages diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 2d24e0e3ab..301be7db93 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -1,15 +1,12 @@ --- title: Get seat description: The Get seat operation retrieves the information about an active seat for a specified user in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get seat diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index b755a4fc0f..77e13c0706 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -1,15 +1,12 @@ --- title: Get seats assigned to a user description: The Get seats assigned to a user operation retrieves information about assigned seats in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: CB963E44-8C7C-46F9-A979-89BBB376172B -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get seats assigned to a user diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index ba26bb6f6b..1e5fbe93dd 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,15 +1,12 @@ --- title: Get seats description: The Get seats operation retrieves the information about active seats in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Get seats diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 6eb645cf52..fb44d96773 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,15 +1,12 @@ --- title: Device HealthAttestation CSP description: Device HealthAttestation CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Device HealthAttestation CSP diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 3c50a72760..f3e857ee6f 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -1,15 +1,12 @@ --- title: HealthAttestation DDF description: HealthAttestation DDF -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: D20AC78D-D2D4-434B-B9FD-294BCD9D1DDE -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # HealthAttestation DDF diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 905181c7ee..181c625ca6 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -1,15 +1,12 @@ --- title: HotSpot CSP description: HotSpot CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # HotSpot CSP diff --git a/windows/client-management/mdm/iconfigserviceprovider2.md b/windows/client-management/mdm/iconfigserviceprovider2.md index f241ae1aa4..be59397ff3 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2.md +++ b/windows/client-management/mdm/iconfigserviceprovider2.md @@ -1,15 +1,12 @@ --- title: IConfigServiceProvider2 description: IConfigServiceProvider2 -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 8deec0fb-59a6-4d08-8ddb-6d0d3d868a10 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # IConfigServiceProvider2 diff --git a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md index eed45454d3..2d72418a32 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md +++ b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md @@ -1,15 +1,12 @@ --- title: IConfigServiceProvider2 ConfigManagerNotification description: IConfigServiceProvider2 ConfigManagerNotification -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b1f0fe0f-afbe-4b36-a75d-34239a86a75c -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # IConfigServiceProvider2::ConfigManagerNotification diff --git a/windows/client-management/mdm/iconfigserviceprovider2getnode.md b/windows/client-management/mdm/iconfigserviceprovider2getnode.md index 8ad2ca892a..d9efa4d469 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2getnode.md +++ b/windows/client-management/mdm/iconfigserviceprovider2getnode.md @@ -1,15 +1,12 @@ --- title: IConfigServiceProvider2 GetNode description: IConfigServiceProvider2 GetNode -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 4dc10a59-f6a2-45c0-927c-d594afc9bb91 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # IConfigServiceProvider2::GetNode diff --git a/windows/client-management/mdm/icspnode.md b/windows/client-management/mdm/icspnode.md index e5155263e0..5da7ad4b29 100644 --- a/windows/client-management/mdm/icspnode.md +++ b/windows/client-management/mdm/icspnode.md @@ -1,15 +1,12 @@ --- title: ICSPNode description: ICSPNode -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 023466e6-a8ab-48ad-8548-291409686ac2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode diff --git a/windows/client-management/mdm/icspnodeadd.md b/windows/client-management/mdm/icspnodeadd.md index 97a7e667cc..20be80123e 100644 --- a/windows/client-management/mdm/icspnodeadd.md +++ b/windows/client-management/mdm/icspnodeadd.md @@ -1,15 +1,12 @@ --- title: ICSPNode Add description: ICSPNode Add -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 5f03d350-c82b-4747-975f-385fd8b5b3a8 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::Add diff --git a/windows/client-management/mdm/icspnodeclear.md b/windows/client-management/mdm/icspnodeclear.md index 213e75a31a..5c0f660fa3 100644 --- a/windows/client-management/mdm/icspnodeclear.md +++ b/windows/client-management/mdm/icspnodeclear.md @@ -1,15 +1,12 @@ --- title: ICSPNode Clear description: ICSPNode Clear -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b414498b-110a-472d-95c0-2d5b38cd78a6 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/icspnodecopy.md b/windows/client-management/mdm/icspnodecopy.md index b5008ab367..cf113766b6 100644 --- a/windows/client-management/mdm/icspnodecopy.md +++ b/windows/client-management/mdm/icspnodecopy.md @@ -1,15 +1,12 @@ --- title: ICSPNode Copy description: ICSPNode Copy -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: cd5ce0bc-a08b-4f82-802d-c7ff8701b41f -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::Copy diff --git a/windows/client-management/mdm/icspnodedeletechild.md b/windows/client-management/mdm/icspnodedeletechild.md index 158c31361e..686df037ea 100644 --- a/windows/client-management/mdm/icspnodedeletechild.md +++ b/windows/client-management/mdm/icspnodedeletechild.md @@ -1,15 +1,12 @@ --- title: ICSPNode DeleteChild description: ICSPNode DeleteChild -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 8cf3663d-a4cf-4d11-b03a-f1d096ad7f9c -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::DeleteChild diff --git a/windows/client-management/mdm/icspnodedeleteproperty.md b/windows/client-management/mdm/icspnodedeleteproperty.md index 2280c6e984..74126c9679 100644 --- a/windows/client-management/mdm/icspnodedeleteproperty.md +++ b/windows/client-management/mdm/icspnodedeleteproperty.md @@ -1,15 +1,12 @@ --- title: ICSPNode DeleteProperty description: ICSPNode DeleteProperty -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 7e21851f-d663-4558-b3e8-590d24b4f6c4 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::DeleteProperty diff --git a/windows/client-management/mdm/icspnodeexecute.md b/windows/client-management/mdm/icspnodeexecute.md index 97a0b3f76b..ef2c4dfa1a 100644 --- a/windows/client-management/mdm/icspnodeexecute.md +++ b/windows/client-management/mdm/icspnodeexecute.md @@ -1,15 +1,12 @@ --- title: ICSPNode Execute description: ICSPNode Execute -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 5916e7b7-256d-49fd-82b6-db0547a215ec -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::Execute diff --git a/windows/client-management/mdm/icspnodegetchildnodenames.md b/windows/client-management/mdm/icspnodegetchildnodenames.md index 420ed62d10..aa63ca5b8e 100644 --- a/windows/client-management/mdm/icspnodegetchildnodenames.md +++ b/windows/client-management/mdm/icspnodegetchildnodenames.md @@ -1,15 +1,12 @@ --- title: ICSPNode GetChildNodeNames description: ICSPNode GetChildNodeNames -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: dc057f2b-282b-49ac-91c4-bb83bd3ca4dc -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::GetChildNodeNames diff --git a/windows/client-management/mdm/icspnodegetproperty.md b/windows/client-management/mdm/icspnodegetproperty.md index 8d4a28d933..673d9e8e15 100644 --- a/windows/client-management/mdm/icspnodegetproperty.md +++ b/windows/client-management/mdm/icspnodegetproperty.md @@ -1,15 +1,12 @@ --- title: ICSPNode GetProperty description: ICSPNode GetProperty -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: a2bdc158-72e0-4cdb-97ce-f5cf1a44b7db -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::GetProperty diff --git a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md index a4624bfac7..55fabbe552 100644 --- a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md +++ b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md @@ -1,15 +1,12 @@ --- title: ICSPNode GetPropertyIdentifiers description: ICSPNode GetPropertyIdentifiers -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 8a052cd3-d74c-40c4-845f-f804b920deb4 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::GetPropertyIdentifiers diff --git a/windows/client-management/mdm/icspnodegetvalue.md b/windows/client-management/mdm/icspnodegetvalue.md index 95d95c5813..fe58b75211 100644 --- a/windows/client-management/mdm/icspnodegetvalue.md +++ b/windows/client-management/mdm/icspnodegetvalue.md @@ -1,15 +1,12 @@ --- title: ICSPNode GetValue description: ICSPNode GetValue -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: c684036d-98be-4659-8ce8-f72436a39b90 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::GetValue diff --git a/windows/client-management/mdm/icspnodemove.md b/windows/client-management/mdm/icspnodemove.md index b106a7cb80..53c5047934 100644 --- a/windows/client-management/mdm/icspnodemove.md +++ b/windows/client-management/mdm/icspnodemove.md @@ -1,15 +1,12 @@ --- title: ICSPNode Move description: ICSPNode Move -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: efb359c3-5c86-4975-bf6f-a1c33922442a -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::Move diff --git a/windows/client-management/mdm/icspnodesetproperty.md b/windows/client-management/mdm/icspnodesetproperty.md index 7805bd3a38..daae584a37 100644 --- a/windows/client-management/mdm/icspnodesetproperty.md +++ b/windows/client-management/mdm/icspnodesetproperty.md @@ -1,15 +1,12 @@ --- title: ICSPNode SetProperty description: ICSPNode SetProperty -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: e235c38f-ea04-4cd8-adec-3c6c0ce7172d -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::SetProperty diff --git a/windows/client-management/mdm/icspnodesetvalue.md b/windows/client-management/mdm/icspnodesetvalue.md index cc4c4dcf3f..ccb5ff6c76 100644 --- a/windows/client-management/mdm/icspnodesetvalue.md +++ b/windows/client-management/mdm/icspnodesetvalue.md @@ -1,15 +1,12 @@ --- title: ICSPNode SetValue description: ICSPNode SetValue -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b218636d-fe8b-4a0f-b4e8-a621f65619d3 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNode::SetValue diff --git a/windows/client-management/mdm/icspnodetransactioning.md b/windows/client-management/mdm/icspnodetransactioning.md index 34e1557544..536708cb7d 100644 --- a/windows/client-management/mdm/icspnodetransactioning.md +++ b/windows/client-management/mdm/icspnodetransactioning.md @@ -1,15 +1,12 @@ --- title: ICSPNodeTransactioning description: ICSPNodeTransactioning -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 24dc518a-4a8d-41fe-9bc6-217bbbdf6a3f -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPNodeTransactioning diff --git a/windows/client-management/mdm/icspvalidate.md b/windows/client-management/mdm/icspvalidate.md index db4a3ea48f..42828da848 100644 --- a/windows/client-management/mdm/icspvalidate.md +++ b/windows/client-management/mdm/icspvalidate.md @@ -1,15 +1,12 @@ --- title: ICSPValidate description: ICSPValidate -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b0993f2d-6269-412f-a329-af25fff34ca2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ICSPValidate diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png new file mode 100644 index 0000000000..a2cb0ecde8 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 360eca3308..904aabcc23 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -1,14 +1,11 @@ --- title: Implement server-side support for mobile application management on Windows description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 6c42d88644..70a844c704 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -4,15 +4,12 @@ description: Windows 10 provides an enterprise management solution to help IT p MS-HAID: - 'p\_phDeviceMgmt.provisioning\_and\_device\_management' - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Mobile device management diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index eef8e355a3..98510df8a0 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -4,15 +4,12 @@ description: The Windows Store for Business has a new web service designed for t MS-HAID: - 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 0E39AE85-1703-4B24-9A7F-831C6455068F -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Management tool for the Windows Store for Business diff --git a/windows/client-management/mdm/maps-csp.md b/windows/client-management/mdm/maps-csp.md index dfe6a73a3b..7a5f26f5ef 100644 --- a/windows/client-management/mdm/maps-csp.md +++ b/windows/client-management/mdm/maps-csp.md @@ -1,15 +1,12 @@ --- title: Maps CSP description: The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: E5157296-7C31-4B08-8877-15304C9F6F26 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Maps CSP diff --git a/windows/client-management/mdm/maps-ddf-file.md b/windows/client-management/mdm/maps-ddf-file.md index b4b0100012..e91dbca47e 100644 --- a/windows/client-management/mdm/maps-ddf-file.md +++ b/windows/client-management/mdm/maps-ddf-file.md @@ -1,15 +1,12 @@ --- title: Maps DDF file description: This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: EF22DBB6-0578-4FD0-B8A6-19DC03288FAF -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Maps DDF file diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 26b3ed04f0..c2896dd7cd 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -4,15 +4,12 @@ description: MDM enrollment of Windows-based devices MS-HAID: - 'p\_phdevicemgmt.enrollment\_ui' - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 4651C81B-D2D6-446A-AA24-04D01C1D0883 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # MDM enrollment of Windows-based devices diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index 1d14736623..25454c6580 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -1,14 +1,11 @@ --- title: Messaging CSP description: Messaging CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Messaging CSP diff --git a/windows/client-management/mdm/messaging-ddf.md b/windows/client-management/mdm/messaging-ddf.md index 87fbd0072f..8a3d8d7e7d 100644 --- a/windows/client-management/mdm/messaging-ddf.md +++ b/windows/client-management/mdm/messaging-ddf.md @@ -1,14 +1,11 @@ --- title: Messaging DDF file description: Messaging DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Messaging DDF file diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 9192197a28..e0a4d74fa3 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -1,15 +1,12 @@ --- title: Mobile device enrollment description: Mobile device enrollment is the first phase of enterprise management. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 08C8B3DB-3263-414B-A368-F47B94F47A11 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Mobile device enrollment diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index b4660ca511..d62bf09a6c 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -1,15 +1,12 @@ --- title: NAP CSP description: NAP CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 82f04492-88a6-4afd-af10-a62b8d444d21 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NAP CSP diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 8df98c23fd..0019bd057b 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -1,15 +1,12 @@ --- title: NAPDEF CSP description: NAPDEF CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9bcc65dd-a72b-4f90-aba7-4066daa06988 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NAPDEF CSP diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 17bfecb9bd..2e9efd2de6 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -1,14 +1,11 @@ --- title: NetworkProxy CSP description: NetworkProxy CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NetworkProxy CSP diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 47e68fe01b..6657bc67ee 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,14 +1,11 @@ --- title: NetworkProxy DDF file description: AppNetworkProxyLocker DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NetworkProxy DDF file diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 99983160de..eb09ca2909 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -1,14 +1,11 @@ --- title: NetworkQoSPolicy CSP description: he NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NetworkQoSPolicy CSP diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index a8a04b9de5..e22f1a5ac3 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -1,15 +1,12 @@ --- title: NetworkQoSPolicy DDF description: This topic shows the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NetworkQoSPolicy DDF diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 4bb5eecbe0..f0f271a8e3 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -4,15 +4,12 @@ description: This topic provides information about what's new and breaking chang MS-HAID: - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9C42064F-091C-4901-BC73-9ABE79EE4224 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # What's new in MDM enrollment and management @@ -883,6 +880,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Ownership
    • + +MDM support for Windows 10 S +

    Updated the following topics to indicate MDM support in Windows 10 S.

    +
      +
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • +
    • [Policy CSP](policy-configuration-service-provider.md)
      • +
    +   @@ -1211,7 +1216,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • EnterpriseDataProtection/RetrieveByCount/Type
    • - + [Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)

    Added following deep link parameters to the table:

      @@ -1223,6 +1228,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Ownership
    + +[Firewall CSP](firewall-csp.md) +

    Added new CSP in the next major update to Windows 10.

    + + +MDM support for Windows 10 S +

    Updated the following topics to indicate MDM support in Windows 10 S.

    +
      +
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • +
    • [Policy CSP](policy-configuration-service-provider.md)
      • +
    + diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 459eb5b6a1..66ec4f198b 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -1,15 +1,12 @@ --- title: NodeCache CSP description: NodeCache CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b4dd2b0d-79ef-42ac-ab5b-ee07b3097876 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NodeCache CSP diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index 5cc96df8bb..1d3eb141bc 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -1,15 +1,12 @@ --- title: NodeCache DDF file description: NodeCache DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: d7605098-12aa-4423-89ae-59624fa31236 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # NodeCache DDF file diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index dbc41f165d..ca215622b9 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -1,14 +1,11 @@ --- title: Office CSP description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Office CSP diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index ead5845d21..85f2f48531 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -1,15 +1,12 @@ --- title: Office DDF description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Office DDF diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 62ad8a9ebb..8ebb0eebf3 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -1,15 +1,12 @@ --- title: OMA DM protocol support description: OMA DM protocol support -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: e882aaae-447e-4bd4-9275-463824da4fa0 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index b9a90f2614..2ecd4d724f 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -1,15 +1,12 @@ --- title: On-premise authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # On-premise authentication device enrollment diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index ba168ff230..8faa4ccb96 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -1,15 +1,12 @@ --- title: PassportForWork CSP description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 3BAE4827-5497-41EE-B47F-5C071ADB2C51 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # PassportForWork CSP diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index d143881755..e425bb220d 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -1,15 +1,12 @@ --- title: PassportForWork DDF description: This topic shows the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # PassportForWork DDF diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 0a01a02817..85c52cab60 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,14 +1,11 @@ --- title: Personalization CSP description: Personalization CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Personalization CSP diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index ee0e9087ca..85d8ef7bb0 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,14 +1,11 @@ --- title: Personalization DDF file description: Personalization DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Personalization DDF file diff --git a/windows/client-management/mdm/policy-admx-backed.md b/windows/client-management/mdm/policy-admx-backed.md deleted file mode 100644 index 4643ba8bb8..0000000000 --- a/windows/client-management/mdm/policy-admx-backed.md +++ /dev/null @@ -1,4035 +0,0 @@ ---- -title: Policy CSP - ADMX-backed policies -description: Policy CSP - ADMX-backed policies -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' -ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 -ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem ---- - -# Policy CSP - ADMX-backed policies - -The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. This reference topic targets only policies which are backed by ADMX. To understand the difference between traditional MDM and ADMX-backed policies please see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). - -## Table of ADMX-backed policies for Windows 10, version 1703. - -> [!IMPORTANT] -> To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    MDM CSP setting path/nameGP english nameGP english category pathGP nameGP ADMX file name
    ActiveXControls/ApprovedInstallationSitesApproved Installation Sites for ActiveX ControlsWindows Components/ActiveX Installer ServiceApprovedActiveXInstallSitesActiveXInstallService.admx
    AppVirtualization/AllowAppVClientEnable App-V ClientSystem/App-VEnableAppVappv.admx
    AppVirtualization/AllowDynamicVirtualizationEnable Dynamic VirtualizationSystem/App-V/VirtualizationVirtualization_JITVEnableappv.admx
    AppVirtualization/AllowPackageCleanupEnable automatic cleanup of unused appv packagesSystem/App-V/Package ManagementPackageManagement_AutoCleanupEnableappv.admx
    AppVirtualization/AllowPackageScriptsEnable Package ScriptsSystem/App-V/ScriptingScripting_Enable_Package_Scriptsappv.admx
    AppVirtualization/AllowPublishingRefreshUXEnable Publishing Refresh UXSystem/App-V/PublishingEnable_Publishing_Refresh_UXappv.admx
    AppVirtualization/AllowReportingServerReporting ServerSystem/App-V/ReportingReporting_Server_Policyappv.admx
    AppVirtualization/AllowRoamingFileExclusionsRoaming File ExclusionsSystem/App-V/IntegrationIntegration_Roaming_File_Exclusionsappv.admx
    AppVirtualization/AllowRoamingRegistryExclusionsRoaming Registry ExclusionsSystem/App-V/IntegrationIntegration_Roaming_Registry_Exclusionsappv.admx
    AppVirtualization/AllowStreamingAutoloadSpecify what to load in background (aka AutoLoad)System/App-V/StreamingSteaming_Autoloadappv.admx
    AppVirtualization/ClientCoexistenceAllowMigrationmodeEnable Migration ModeSystem/App-V/Client CoexistenceClient_Coexistence_Enable_Migration_modeappv.admx
    AppVirtualization/IntegrationAllowRootGlobalIntegration Root UserSystem/App-V/IntegrationIntegration_Root_Userappv.admx
    AppVirtualization/IntegrationAllowRootUserIntegration Root GlobalSystem/App-V/IntegrationIntegration_Root_Globalappv.admx
    AppVirtualization/PublishingAllowServer1Publishing Server 1 SettingsSystem/App-V/PublishingPublishing_Server1_Policyappv.admx
    AppVirtualization/PublishingAllowServer2Publishing Server 2 SettingsSystem/App-V/PublishingPublishing_Server2_Policyappv.admx
    AppVirtualization/PublishingAllowServer3Publishing Server 3 SettingsSystem/App-V/PublishingPublishing_Server3_Policyappv.admx
    AppVirtualization/PublishingAllowServer4Publishing Server 4 SettingsSystem/App-V/PublishingPublishing_Server4_Policyappv.admx
    AppVirtualization/PublishingAllowServer5Publishing Server 5 SettingsSystem/App-V/PublishingPublishing_Server5_Policyappv.admx
    AppVirtualization/StreamingAllowCertificateFilterForClient_SSLCertificate Filter For Client SSLSystem/App-V/StreamingStreaming_Certificate_Filter_For_Client_SSLappv.admx
    AppVirtualization/StreamingAllowHighCostLaunchAllow First Time Application Launches if on a High Cost Windows 8 Metered ConnectionSystem/App-V/StreamingStreaming_Allow_High_Cost_Launchappv.admx
    AppVirtualization/StreamingAllowLocationProviderLocation ProviderSystem/App-V/StreamingStreaming_Location_Providerappv.admx
    AppVirtualization/StreamingAllowPackageInstallationRootPackage Installation RootSystem/App-V/StreamingStreaming_Package_Installation_Rootappv.admx
    AppVirtualization/StreamingAllowPackageSourceRootPackage Source RootSystem/App-V/StreamingStreaming_Package_Source_Rootappv.admx
    AppVirtualization/StreamingAllowReestablishmentIntervalReestablishment IntervalSystem/App-V/StreamingStreaming_Reestablishment_Intervalappv.admx
    AppVirtualization/StreamingAllowReestablishmentRetriesReestablishment RetriesSystem/App-V/StreamingStreaming_Reestablishment_Retriesappv.admx
    AppVirtualization/StreamingSharedContentStoreModeShared Content Store (SCS) modeSystem/App-V/StreamingStreaming_Shared_Content_Store_Modeappv.admx
    AppVirtualization/StreamingSupportBranchCacheEnable Support for BranchCacheSystem/App-V/StreamingStreaming_Support_Branch_Cacheappv.admx
    AppVirtualization/StreamingVerifyCertificateRevocationListVerify certificate revocation listSystem/App-V/StreamingStreaming_Verify_Certificate_Revocation_Listappv.admx
    AppVirtualization/VirtualComponentsAllowListVirtual Component Process Allow ListSystem/App-V/VirtualizationVirtualization_JITVAllowListappv.admx
    AttachmentManager/DoNotPreserveZoneInformationDo not preserve zone information in file attachmentsWindows Components/Attachment ManagerAM_MarkZoneOnSavedAtttachmentsAttachmentManager.admx
    AttachmentManager/HideZoneInfoMechanismHide mechanisms to remove zone informationWindows Components/Attachment ManagerAM_RemoveZoneInfoAttachmentManager.admx
    AttachmentManager/NotifyAntivirusProgramsNotify antivirus programs when opening attachmentsWindows Components/Attachment ManagerAM_CallIOfficeAntiVirusAttachmentManager.admx
    Autoplay/DisallowAutoplayForNonVolumeDevicesDisallow Autoplay for non-volume devicesWindows Components/AutoPlay PoliciesNoAutoplayfornonVolumeAutoPlay.admx
    Autoplay/SetDefaultAutoRunBehaviorSet the default behavior for AutoRunWindows Components/AutoPlay PoliciesNoAutorunAutoPlay.admx
    Autoplay/TurnOffAutoPlayTurn off AutoplayWindows Components/AutoPlay PoliciesAutorunAutoPlay.admx
    Connectivity/HardenedUNCPathsHardened UNC PathsNetwork/Network ProviderPol_HardenedPathsnetworkprovider.admx
    CredentialProviders/AllowPINLogonTurn on convenience PIN sign-inSystem/LogonAllowDomainPINLogoncredentialproviders.admx
    CredentialProviders/BlockPicturePasswordTurn off picture password sign-inSystem/LogonBlockDomainPicturePasswordcredentialproviders.admx
    CredentialsUI/DisablePasswordRevealDo not display the password reveal buttonWindows Components/Credential User InterfaceDisablePasswordRevealcredui.admx
    CredentialsUI/EnumerateAdministratorsEnumerate administrator accounts on elevationWindows Components/Credential User InterfaceEnumerateAdministratorscredui.admx
    DataUsage/SetCost3GSet 3G CostNetwork/WWAN Service/WWAN Media CostSetCost3Gwwansvc.admx
    DataUsage/SetCost4GSet 4G CostNetwork/WWAN Service/WWAN Media CostSetCost4Gwwansvc.admx
    Desktop/PreventUserRedirectionOfProfileFolders   desktop.admx
    DeviceInstallation/PreventInstallationOfMatchingDeviceIDsPrevent installation of devices that match any of these device IDsSystem/Device Installation/Device Installation RestrictionsDeviceInstall_IDs_Denydeviceinstallation.admx
    DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClassesPrevent installation of devices using drivers that match these device setup classesSystem/Device Installation/Device Installation RestrictionsDeviceInstall_Classes_Denydeviceinstallation.admx
    DeviceLock/PreventLockScreenSlideShow   ControlPanelDisplay.admx
    ErrorReporting/CustomizeConsentSettingsCustomize consent settingsWindows Components/Windows Error Reporting/ConsentWerConsentCustomize_2ErrorReporting.admx
    ErrorReporting/DisableWindowsErrorReportingDisable Windows Error ReportingWindows Components/Windows Error ReportingWerDisable_2ErrorReporting.admx
    ErrorReporting/DisplayErrorNotificationDisplay Error NotificationWindows Components/Windows Error ReportingPCH_ShowUIErrorReporting.admx
    ErrorReporting/DoNotSendAdditionalDataDo not send additional dataWindows Components/Windows Error ReportingWerNoSecondLevelData_2ErrorReporting.admx
    ErrorReporting/PreventCriticalErrorDisplayPrevent display of the user interface for critical errorsWindows Components/Windows Error ReportingWerDoNotShowUIErrorReporting.admx
    EventLogService/ControlEventLogBehaviorControl Event Log behavior when the log file reaches its maximum sizeWindows Components/Event Log Service/ApplicationChannel_Log_Retention_1eventlog.admx
    EventLogService/SpecifyMaximumFileSizeApplicationLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/ApplicationChannel_LogMaxSize_1eventlog.admx
    EventLogService/SpecifyMaximumFileSizeSecurityLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SecurityChannel_LogMaxSize_2eventlog.admx
    EventLogService/SpecifyMaximumFileSizeSystemLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SystemChannel_LogMaxSize_4eventlog.admx
    InternetExplorer/AddSearchProviderAdd a specific list of search providers to the user's list of search providersWindows Components/Internet ExplorerAddSearchProviderinetres.admx
    InternetExplorer/AllowActiveXFilteringTurn on ActiveX FilteringWindows Components/Internet ExplorerTurnOnActiveXFilteringinetres.admx
    InternetExplorer/AllowAddOnListAdd-on ListWindows Components/Internet Explorer/Security Features/Add-on ManagementAddonManagement_AddOnListinetres.admx
    InternetExplorer/AllowEnhancedProtectedModeTurn on Enhanced Protected ModeWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_EnableEnhancedProtectedModeinetres.admx
    InternetExplorer/AllowEnterpriseModeFromToolsMenuLet users turn on and use Enterprise Mode from the Tools menuWindows Components/Internet ExplorerEnterpriseModeEnableinetres.admx
    InternetExplorer/AllowEnterpriseModeSiteListUse the Enterprise Mode IE website listWindows Components/Internet ExplorerEnterpriseModeSiteListinetres.admx
    InternetExplorer/AllowInternetExplorer7PolicyList Use Policy List of Internet Explorer 7 sitesCompatView_UsePolicyListinetres.admx
    InternetExplorer/AllowInternetExplorerStandardsModeTurn on Internet Explorer Standards Mode for local intranetWindows Components/Internet Explorer/Compatibility ViewCompatView_IntranetSitesinetres.admx
    InternetExplorer/AllowInternetZoneTemplateInternet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneTemplateinetres.admx
    InternetExplorer/AllowIntranetZoneTemplateIntranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneTemplateinetres.admx
    InternetExplorer/AllowLocalMachineZoneTemplateLocal Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneTemplateinetres.admx
    InternetExplorer/AllowLockedDownInternetZoneTemplateLocked-Down Internet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowLockedDownIntranetZoneTemplateLocked-Down Intranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowLockedDownLocalMachineZoneTemplateLocked-Down Local Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplateLocked-Down Restricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowOneWordEntryGo to an intranet site for a one-word entry in the Address barWindows Components/Internet Explorer/Internet Settings/Advanced settings/BrowsingUseIntranetSiteForOneWordEntryinetres.admx
    InternetExplorer/AllowSiteToZoneAssignmentListSite to Zone Assignment ListWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_Zonemapsinetres.admx
    InternetExplorer/AllowSuggestedSitesTurn on Suggested SitesWindows Components/Internet ExplorerEnableSuggestedSitesinetres.admx
    InternetExplorer/AllowTrustedSitesZoneTemplateTrusted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyTrustedSitesZoneTemplateinetres.admx
    InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplateLocked-Down Trusted Sites Zone TemplateIZ_PolicyTrustedSitesZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowsRestrictedSitesZoneTemplateRestricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneTemplateinetres.admx
    InternetExplorer/DisableAdobeFlashTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components/Internet Explorer/Security Features/Add-on ManagementDisableFlashInIEinetres.admx
    InternetExplorer/DisableBypassOfSmartScreenWarnings   inetres.admx
    InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles   inetres.admx
    InternetExplorer/DisableCustomerExperienceImprovementProgramParticipationPrevent participation in the Customer Experience Improvement ProgramWindows Components/Internet ExplorerSQM_DisableCEIPinetres.admx
    InternetExplorer/DisableEnclosureDownloadingPrevent downloading of enclosuresWindows Components/RSS FeedsDisable_Downloading_of_Enclosuresinetres.admx
    InternetExplorer/DisableEncryptionSupportTurn off encryption supportWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_SetWinInetProtocolsinetres.admx
    InternetExplorer/DisableFirstRunWizardPrevent running First Run wizardWindows Components/Internet ExplorerNoFirstRunCustomiseinetres.admx
    InternetExplorer/DisableFlipAheadFeatureTurn off the flip ahead with page prediction featureWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_DisableFlipAheadinetres.admx
    InternetExplorer/DisableHomePageChangeDisable changing home page settingsWindows Components/Internet ExplorerRestrictHomePageinetres.admx
    InternetExplorer/DisableProxyChange   inetres.admx
    InternetExplorer/DisableSearchProviderChangePrevent changing the default search providerWindows Components/Internet ExplorerNoSearchProviderinetres.admx
    InternetExplorer/DisableSecondaryHomePageChangeDisable changing secondary home page settingsWindows Components/Internet ExplorerSecondaryHomePagesinetres.admx
    InternetExplorer/DisableUpdateCheck   inetres.admx
    InternetExplorer/DoNotAllowUsersToAddSites   inetres.admx
    InternetExplorer/DoNotAllowUsersToChangePolicies   inetres.admx
    InternetExplorer/DoNotBlockOutdatedActiveXControlsTurn off blocking of outdated ActiveX controls for Internet ExplorerWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDisableinetres.admx
    InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomainsTurn off blocking of outdated ActiveX controls for Internet Explorer on specific domainsWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDomainAllowlistinetres.admx
    InternetExplorer/IncludeAllLocalSitesIntranet Sites: Include all local (intranet) sites not listed in other zonesWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_IncludeUnspecifiedLocalSitesinetres.admx
    InternetExplorer/IncludeAllNetworkPathsIntranet Sites: Include all network paths (UNCs)Windows Components/Internet Explorer/Internet Control Panel/Security PageIZ_UNCAsIntranetinetres.admx
    InternetExplorer/InternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_1inetres.admx
    InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyFontDownload_1inetres.admx
    InternetExplorer/InternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyZoneElevationURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_AllowScriptlets_1inetres.admx
    InternetExplorer/InternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_Phishing_1inetres.admx
    InternetExplorer/InternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUserdataPersistence_1inetres.admx
    InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_1inetres.admx
    InternetExplorer/InternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_1inetres.admx
    InternetExplorer/IntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_3inetres.admx
    InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyFontDownload_3inetres.admx
    InternetExplorer/IntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyZoneElevationURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_AllowScriptlets_3inetres.admx
    InternetExplorer/IntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_Phishing_3inetres.admx
    InternetExplorer/IntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUserdataPersistence_3inetres.admx
    InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_3inetres.admx
    InternetExplorer/IntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_3inetres.admx
    InternetExplorer/LocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyFontDownload_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyZoneElevationURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_AllowScriptlets_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_Phishing_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUserdataPersistence_9inetres.admx
    InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_9inetres.admx
    InternetExplorer/LocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_9inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyFontDownload_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyZoneElevationURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_AllowScriptlets_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_Phishing_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUserdataPersistence_2inetres.admx
    InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_2inetres.admx
    InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_2inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyFontDownload_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyZoneElevationURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_AllowScriptlets_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_Phishing_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUserdataPersistence_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_4inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyFontDownload_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyZoneElevationURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_AllowScriptlets_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_Phishing_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUserdataPersistence_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_10inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyFontDownload_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_AllowScriptlets_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_Phishing_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUserdataPersistence_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_8inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyFontDownload_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_AllowScriptlets_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_Phishing_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUserdataPersistence_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_6inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyFontDownload_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_AllowScriptlets_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_Phishing_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUserdataPersistence_7inetres.admx
    InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_7inetres.admx
    InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_7inetres.admx
    InternetExplorer/SearchProviderListRestrict search providers to a specific listWindows Components/Internet ExplorerSpecificSearchProviderinetres.admx
    InternetExplorer/TrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyFontDownload_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_AllowScriptlets_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_Phishing_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUserdataPersistence_5inetres.admx
    InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_5inetres.admx
    InternetExplorer/TrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_5inetres.admx
    Kerberos/AllowForestSearchOrder ForestSearchKerberos.admx
    Kerberos/KerberosClientSupportsClaimsCompoundArmorKerberos client support for claims, compound authentication and Kerberos armoringSystem/KerberosEnableCbacAndArmorKerberos.admx
    Kerberos/RequireKerberosArmoringFail authentication requests when Kerberos armoring is not availableSystem/KerberosClientRequireFastKerberos.admx
    Kerberos/RequireStrictKDCValidationRequire strict KDC validationSystem/KerberosValidateKDCKerberos.admx
    Kerberos/SetMaximumContextTokenSizeSet maximum Kerberos SSPI context token buffer sizeSystem/KerberosMaxTokenSizeKerberos.admx
    Power/AllowStandbyWhenSleepingPluggedInAllow standby states (S1-S3) when sleeping (plugged in)System/Power Management/Sleep SettingsAllowStandbyStatesAC_2power.admx
    Power/RequirePasswordWhenComputerWakesOnBatteryRequire a password when a computer wakes (on battery)System/Power Management/Sleep SettingsDCPromptForPasswordOnResume_2power.admx
    Power/RequirePasswordWhenComputerWakesPluggedInRequire a password when a computer wakes (plugged in)System/Power Management/Sleep SettingsACPromptForPasswordOnResume_2power.admx
    Printers/PointAndPrintRestrictionsPoint and Print RestrictionsPrintersPointAndPrint_Restrictions_Win7Printing.admx
    Printers/PointAndPrintRestrictions_UserPoint and Print RestrictionsPointAndPrint_RestrictionsPrinting.admx
    Printers/PublishPrintersAllow printers to be publishedPrintersPublishPrintersPrinting2.admx
    RemoteAssistance/CustomizeWarningMessagesCustomize warning messagesSystem/Remote AssistanceRA_Optionsremoteassistance.admx
    RemoteAssistance/SessionLoggingTurn on session loggingSystem/Remote AssistanceRA_Loggingremoteassistance.admx
    RemoteAssistance/SolicitedRemoteAssistanceConfigure Solicited Remote AssistanceSystem/Remote AssistanceRA_Solicitremoteassistance.admx
    RemoteAssistance/UnsolicitedRemoteAssistanceConfigure Offer Remote AssistanceRA_Unsolicitremoteassistance.admx
    RemoteDesktopServices/AllowUsersToConnectRemotelyAllow users to connect remotely by using Remote Desktop ServicesWindows Components/Remote Desktop Services/Remote Desktop Session Host/ConnectionsTS_DISABLE_CONNECTIONSterminalserver.admx
    RemoteDesktopServices/ClientConnectionEncryptionLevelSet client connection encryption levelWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_ENCRYPTION_POLICYterminalserver.admx
    RemoteDesktopServices/DoNotAllowDriveRedirectionDo not allow drive redirectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionTS_CLIENT_DRIVE_Mterminalserver.admx
    RemoteDesktopServices/DoNotAllowPasswordSavingDo not allow passwords to be savedWindows Components/Remote Desktop Services/Remote Desktop Connection ClientTS_CLIENT_DISABLE_PASSWORD_SAVING_2terminalserver.admx
    RemoteDesktopServices/PromptForPasswordUponConnectionAlways prompt for password upon connectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_PASSWORDterminalserver.admx
    RemoteDesktopServices/RequireSecureRPCCommunicationRequire secure RPC communicationWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_RPC_ENCRYPTIONterminalserver.admx
    RemoteProcedureCall/RPCEndpointMapperClientAuthenticationEnable RPC Endpoint Mapper Client AuthenticationSystem/Remote Procedure CallRpcEnableAuthEpResolutionrpc.admx
    RemoteProcedureCall/RestrictUnauthenticatedRPCClientsRestrict Unauthenticated RPC clientsSystem/Remote Procedure CallRpcRestrictRemoteClientsrpc.admx
    Storage/EnhancedStorageDevicesDo not allow Windows to activate Enhanced Storage devicesSystem/Enhanced Storage AccessTCGSecurityActivationDisabledenhancedstorage.admx
    System/BootStartDriverInitializationBoot-Start Driver Initialization PolicySystem/Early Launch AntimalwarePOL_DriverLoadPolicy_Nameearlylauncham.admx
    System/DisableSystemRestoreTurn off System RestoreSystem/System RestoreSR_DisableSRsystemrestore.admx
    WindowsLogon/DisableLockScreenAppNotificationsTurn off app notifications on the lock screenSystem/LogonDisableLockScreenAppNotificationslogon.admx
    WindowsLogon/DontDisplayNetworkSelectionUIDo not display network selection UISystem/LogonDontDisplayNetworkSelectionUIlogon.admx
    - - -## List of <AreaName>/<PolicyName> - - -**ActiveXControls/ApprovedInstallationSites** - -

    This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.

    - -

    If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. - -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.

    - -

    Note: Wild card characters cannot be used when specifying the host URLs. -

    - -**AppVirtualization/AllowAppVClient** - -

    This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.

    - -**AppVirtualization/AllowDynamicVirtualization** - -

    Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.

    - -**AppVirtualization/AllowPackageCleanup** - -

    N/A

    - -**AppVirtualization/AllowPackageScripts** - -

    Enables scripts defined in the package manifest of configuration files that should run.

    - -**AppVirtualization/AllowPublishingRefreshUX** - -

    Enables a UX to display to the user when a publishing refresh is performed on the client.

    - -**AppVirtualization/AllowReportingServer** - -

    Reporting Server URL: Displays the URL of reporting server.

    - -

    Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. - - Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. - - Repeat reporting for every (days): The periodical interval in days for sending the reporting data. - - Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.

    - -

    Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. -

    - -**AppVirtualization/AllowRoamingFileExclusions** - -

    Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.

    - -**AppVirtualization/AllowRoamingRegistryExclusions** - -

    Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.

    - -**AppVirtualization/AllowStreamingAutoload** - -

    Specifies how new packages should be loaded automatically by App-V on a specific computer.

    - -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - -

    Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.

    - -**AppVirtualization/IntegrationAllowRootGlobal** - -

    Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.

    - -**AppVirtualization/IntegrationAllowRootUser** - -

    Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.

    - -**AppVirtualization/PublishingAllowServer1** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer2** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer3** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer4** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer5** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - -

    Specifies the path to a valid certificate in the certificate store.

    - -**AppVirtualization/StreamingAllowHighCostLaunch** - -

    This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).

    - -**AppVirtualization/StreamingAllowLocationProvider** - -

    Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.

    - -**AppVirtualization/StreamingAllowPackageInstallationRoot** - -

    Specifies directory where all new applications and updates will be installed.

    - -**AppVirtualization/StreamingAllowPackageSourceRoot** - -

    Overrides source location for downloading package content.

    - -**AppVirtualization/StreamingAllowReestablishmentInterval** - -

    Specifies the number of seconds between attempts to reestablish a dropped session.

    - -**AppVirtualization/StreamingAllowReestablishmentRetries** - -

    Specifies the number of times to retry a dropped session.

    - -**AppVirtualization/StreamingSharedContentStoreMode** - -

    Specifies that streamed package contents will be not be saved to the local hard disk.

    - -**AppVirtualization/StreamingSupportBranchCache** - -

    If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache

    - -**AppVirtualization/StreamingVerifyCertificateRevocationList** - -

    Verifies Server certificate revocation status before streaming using HTTPS.

    - -**AppVirtualization/VirtualComponentsAllowList** - -

    Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.

    - -**AttachmentManager/DoNotPreserveZoneInformation** - -

    This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.

    - -

    If you enable this policy setting, Windows does not mark file attachments with their zone information.

    - -

    If you disable this policy setting, Windows marks file attachments with their zone information.

    - -

    If you do not configure this policy setting, Windows marks file attachments with their zone information.

    - -**AttachmentManager/HideZoneInfoMechanism** - -

    This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.

    - -

    If you enable this policy setting, Windows hides the check box and Unblock button.

    - -

    If you disable this policy setting, Windows shows the check box and Unblock button.

    - -

    If you do not configure this policy setting, Windows hides the check box and Unblock button.

    - -**AttachmentManager/NotifyAntivirusPrograms** - -

    This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.

    - -

    If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.

    - -

    If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

    - -

    If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

    - -**Autoplay/DisallowAutoplayForNonVolumeDevices** - -

    This policy setting disallows AutoPlay for MTP devices like cameras or phones.

    - -

    If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.

    - -

    If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.

    - -**Autoplay/SetDefaultAutoRunBehavior** - -

    This policy setting sets the default behavior for Autorun commands.

    - -

    Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.

    - -

    Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.

    - -

    This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.

    - -

    If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:

    - -

    a) Completely disable autorun commands, or - b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.

    - -

    If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.

    - -**Autoplay/TurnOffAutoPlay** - -

    This policy setting allows you to turn off the Autoplay feature.

    - -

    Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.

    - -

    Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.

    - -

    Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.

    - -

    If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.

    - -

    This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.

    - -

    If you disable or do not configure this policy setting, AutoPlay is enabled.

    - -

    Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.

    - -**Connectivity/HardenedUNCPaths** - -

    This policy setting configures secure access to UNC paths.

    - -

    If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. -

    - -**CredentialProviders/AllowPINLogon** - -

    This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.

    - -

    If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.

    - -

    If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.

    - -

    Note that the user's domain password will be cached in the system vault when using this feature.

    - -**CredentialProviders/BlockPicturePassword** - -

    This policy setting allows you to control whether a domain user can sign in using a picture password.

    - -

    If you enable this policy setting, a domain user can't set up or sign in with a picture password.

    - -

    If you disable or don't configure this policy setting, a domain user can set up and use a picture password.

    - -

    Note that the user's domain password will be cached in the system vault when using this feature.

    - -**CredentialsUI/DisablePasswordReveal** - -

    This policy setting allows you to configure the display of the password reveal button in password entry user experiences.

    - -

    If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.

    - -

    If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.

    - -

    By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.

    - -

    The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.

    - -**CredentialsUI/EnumerateAdministrators** - -

    This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.

    - -

    If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.

    - -

    If you disable this policy setting, users will always be required to type a user name and password to elevate.

    - -**DataUsage/SetCost3G** - -

    This policy setting configures the cost of 3G connections on the local machine.

    - -

    If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:

    - -

    - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

    - -

    - Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

    - -

    - Variable: This connection is costed on a per byte basis.

    - -

    If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. -

    - -**DataUsage/SetCost4G** - -

    This policy setting configures the cost of 4G connections on the local machine.

    - -

    If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:

    - -

    - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

    - -

    - Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

    - -

    - Variable: This connection is costed on a per byte basis.

    - -

    If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. -

    - -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** - -

    This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

    - -

    If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

    - -

    If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

    - -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** - -

    This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

    - -

    If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

    - -**ErrorReporting/CustomizeConsentSettings** - -

    This policy setting determines the consent behavior of Windows Error Reporting for specific event types.

    - -

    If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.

    - -

    - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.

    - -

    - 1 (Always ask before sending data): Windows prompts the user for consent to send reports.

    - -

    - 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.

    - -

    - 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.

    - -

    - 4 (Send all data): Any data requested by Microsoft is sent automatically.

    - -

    If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.

    - -**ErrorReporting/DisableWindowsErrorReporting** - -

    This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.

    - -

    If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.

    - -

    If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.

    - -**ErrorReporting/DisplayErrorNotification** - -

    This policy setting controls whether users are shown an error dialog box that lets them report an error.

    - -

    If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.

    - -

    If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.

    - -

    If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.

    - -

    See also the Configure Error Reporting policy setting.

    - -**ErrorReporting/DoNotSendAdditionalData** - -

    This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.

    - -

    If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.

    - -

    If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.

    - -**ErrorReporting/PreventCriticalErrorDisplay** - -

    This policy setting prevents the display of the user interface for critical errors.

    - -

    If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.

    - -

    If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.

    - -**EventLogService/ControlEventLogBehavior** - -

    This policy setting controls Event Log behavior when the log file reaches its maximum size.

    - -

    If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.

    - -

    If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.

    - -

    Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.

    - -**EventLogService/SpecifyMaximumFileSizeApplicationLog** - -

    This policy setting specifies the maximum size of the log file in kilobytes.

    - -

    If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

    - -

    If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

    - -**EventLogService/SpecifyMaximumFileSizeSecurityLog** - -

    This policy setting specifies the maximum size of the log file in kilobytes.

    - -

    If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

    - -

    If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

    - -**EventLogService/SpecifyMaximumFileSizeSystemLog** - -

    This policy setting specifies the maximum size of the log file in kilobytes.

    - -

    If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

    - -

    If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

    - -**InternetExplorer/AddSearchProvider** - -

    This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.

    - -

    If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

    - -

    If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.

    - -**InternetExplorer/AllowActiveXFiltering** - -

    This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.

    - -

    If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.

    - -

    If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.

    - -**InternetExplorer/AllowAddOnList** - -

    This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.

    - -

    This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.

    - -

    If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:

    - -

    Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

    - -

    Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.

    - -

    If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.

    - -**InternetExplorer/AllowEnhancedProtectedMode** - -

    Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

    - -

    If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.

    - -

    If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

    - -

    If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

    - -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** - -

    This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

    - -

    If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

    - -

    If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.

    - -**InternetExplorer/AllowEnterpriseModeSiteList** - -

    This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

    - -

    If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

    - -

    If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

    - -**InternetExplorer/AllowInternetExplorer7PolicyList ** - -

    This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.

    - -

    If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.

    - -

    If you disable or do not configure this policy setting, the user can add and remove sites from the list.

    - -**InternetExplorer/AllowInternetExplorerStandardsMode** - -

    This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.

    - -

    If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.

    - -

    If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.

    - -

    If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.

    - -**InternetExplorer/AllowInternetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowIntranetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLocalMachineZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownInternetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowOneWordEntry** - -

    This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.

    - -

    If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.

    - -

    If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.

    - -**InternetExplorer/AllowSiteToZoneAssignmentList** - -

    This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

    - -

    Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)

    - -

    If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:

    - -

    Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

    - -

    Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

    - -

    If you disable or do not configure this policy, users may choose their own site-to-zone assignments.

    - -**InternetExplorer/AllowSuggestedSites** - -

    This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.

    - -

    If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.

    - -

    If you disable this policy setting, the entry points and functionality associated with this feature are turned off.

    - -

    If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.

    - -**InternetExplorer/AllowTrustedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/DisableAdobeFlash** - -

    This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.

    - -

    If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.

    - -

    If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.

    - -

    Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.

    - -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** - -

    This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

    - -

    If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

    - -

    If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

    - -

    If you do not configure this policy setting, the user can choose to participate in the CEIP.

    - -**InternetExplorer/DisableEnclosureDownloading** - -

    This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

    - -

    If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

    - -

    If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.

    - -**InternetExplorer/DisableEncryptionSupport** - -

    This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.

    - -

    If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

    - -

    If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.

    - -

    Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.

    - -**InternetExplorer/DisableFirstRunWizard** - -

    This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

    - -

    If you enable this policy setting, you must make one of the following choices: - Skip the First Run wizard, and go directly to the user's home page. - Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.

    - -

    Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.

    - -

    If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.

    - -**InternetExplorer/DisableFlipAheadFeature** - -

    This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

    - -

    Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.

    - -

    If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.

    - -

    If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

    - -

    If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.

    - -**InternetExplorer/DisableHomePageChange** - -

    The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.

    - -

    If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.

    - -

    If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.

    - -**InternetExplorer/DisableSearchProviderChange** - -

    This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.

    - -

    If you enable this policy setting, the user cannot change the default search provider.

    - -

    If you disable or do not configure this policy setting, the user can change the default search provider.

    - -**InternetExplorer/DisableSecondaryHomePageChange** - -

    Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.

    - -

    If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.

    - -

    If you disable or do not configure this policy setting, the user can add secondary home pages.

    - -

    Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.

    - -**InternetExplorer/DoNotBlockOutdatedActiveXControls** - -

    This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

    - -

    If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

    - -

    If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

    - -

    For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

    - -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** - -

    This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

    - -

    If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

    - -

    1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include http://example, use "example" -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"

    - -

    If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

    - -

    For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

    - -**InternetExplorer/IncludeAllLocalSites** - -

    This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.

    - -

    If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.

    - -

    If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).

    - -

    If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.

    - -**InternetExplorer/IncludeAllNetworkPaths** - -

    This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

    - -

    If you enable this policy setting, all network paths are mapped into the Intranet Zone.

    - -

    If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

    - -

    If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

    - -**InternetExplorer/InternetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/InternetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

    - -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

    - -**InternetExplorer/InternetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/InternetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/InternetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/IntranetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

    - -**InternetExplorer/IntranetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

    - -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

    - -**InternetExplorer/IntranetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/IntranetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/IntranetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

    - -**InternetExplorer/LocalMachineZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LocalMachineZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

    - -

    If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

    - -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

    - -

    If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

    - -**InternetExplorer/SearchProviderList** - -

    This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.

    - -

    If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

    - -

    If you disable or do not configure this policy setting, the user can configure his or her list of search providers.

    - -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

    - -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

    - -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

    - -**InternetExplorer/TrustedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**Kerberos/AllowForestSearchOrder** - -

    This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).

    - -

    If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.

    - -

    If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.

    - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - -

    This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.

    - -

    If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. -

    - -**Kerberos/RequireKerberosArmoring** - -

    This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.

    - -

    Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.

    - -

    If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.

    - -

    Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.

    - -

    If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. -

    - -**Kerberos/RequireStrictKDCValidation** - -

    This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.

    - -

    If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.

    - -

    If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. -

    - -**Kerberos/SetMaximumContextTokenSize** - -

    This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.

    - -

    If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.

    - -

    If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.

    - -

    Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.

    - -

    - -**Power/AllowStandbyWhenSleepingPluggedIn** - -

    This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.

    - -

    If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.

    - -

    If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.

    - -**Power/RequirePasswordWhenComputerWakesOnBattery** - -

    This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

    - -

    If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

    - -

    If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

    - -**Power/RequirePasswordWhenComputerWakesPluggedIn** - -

    This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

    - -

    If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

    - -

    If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

    - -**Printers/PointAndPrintRestrictions** - -

    This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

    - -

    If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

    - -

    If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

    - -

    If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

    - -**Printers/PointAndPrintRestrictions_User** - -

    This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

    - -

    If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

    - -

    If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

    - -

    If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

    - -**Printers/PublishPrinters** - -

    Determines whether the computer's shared printers can be published in Active Directory.

    - -

    If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.

    - -

    If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.

    - -

    Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".

    - -**RemoteAssistance/CustomizeWarningMessages** - -

    This policy setting lets you customize warning messages.

    - -

    The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.

    - -

    The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.

    - -

    If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.

    - -

    If you disable this policy setting, the user sees the default warning message.

    - -

    If you do not configure this policy setting, the user sees the default warning message.

    - -**RemoteAssistance/SessionLogging** - -

    This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.

    - -

    If you enable this policy setting, log files are generated.

    - -

    If you disable this policy setting, log files are not generated.

    - -

    If you do not configure this setting, application-based settings are used.

    - -**RemoteAssistance/SolicitedRemoteAssistance** - -

    This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.

    - -

    If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.

    - -

    If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.

    - -

    If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.

    - -

    If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."

    - -

    The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.

    - -

    The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.

    - -

    If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.

    - -**RemoteAssistance/UnsolicitedRemoteAssistance** - -

    This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.

    - -

    If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

    - -

    If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

    - -

    If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

    - -

    If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.

    - -

    To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:

    - -

    \ or

    - -

    \

    - -

    If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.

    - -

    Windows Vista and later

    - -

    Enable the Remote Assistance exception for the domain profile. The exception must contain: -Port 135:TCP -%WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe

    - -

    Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)

    - -

    Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe

    - -

    For computers running Windows Server 2003 with Service Pack 1 (SP1)

    - -

    Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -Allow Remote Desktop Exception

    - -**RemoteDesktopServices/AllowUsersToConnectRemotely** - -

    This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

    - -

    If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.

    - -

    If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

    - -

    If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.

    - -

    Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.

    - -

    You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. -

    - -**RemoteDesktopServices/ClientConnectionEncryptionLevel** - -

    Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.

    - -

    If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

    - -

    * High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.

    - -

    * Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.

    - -

    * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.

    - -

    If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.

    - -

    Important

    - -

    FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. -

    - -**RemoteDesktopServices/DoNotAllowDriveRedirection** - -

    This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

    - -

    By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.

    - -

    If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.

    - -

    If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.

    - -

    If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. -

    - -**RemoteDesktopServices/DoNotAllowPasswordSaving** - -

    Controls whether passwords can be saved on this computer from Remote Desktop Connection.

    - -

    If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

    - -

    If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.

    - -**RemoteDesktopServices/PromptForPasswordUponConnection** - -

    This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

    - -

    You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

    - -

    By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

    - -

    If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

    - -

    If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

    - -

    If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. -

    - -**RemoteDesktopServices/RequireSecureRPCCommunication** - -

    Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

    - -

    You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

    - -

    If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

    - -

    If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

    - -

    If the status is set to Not Configured, unsecured communication is allowed.

    - -

    Note: The RPC interface is used for administering and configuring Remote Desktop Services.

    - -**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** - -

    This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.

    - -

    If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.

    - -

    If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

    - -

    If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

    - -

    Note: This policy will not be applied until the system is rebooted.

    - -**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** - -

    This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.

    - -

    This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.

    - -

    If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.

    - -

    If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.

    - -

    If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.

    - -

    -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.

    - -

    -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.

    - -

    -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.

    - -

    Note: This policy setting will not be applied until the system is rebooted.

    - -**Storage/EnhancedStorageDevices** - -

    This policy setting configures whether or not Windows will activate an Enhanced Storage device.

    - -

    If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.

    - -

    If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.

    - -**System/BootStartDriverInitialization** - -

    N/A

    - -**System/DisableSystemRestore** - -

    Allows you to disable System Restore.

    - -

    This policy setting allows you to turn off System Restore.

    - -

    System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.

    - -

    If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.

    - -

    If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.

    - -

    Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.

    - -**WindowsLogon/DisableLockScreenAppNotifications** - -

    This policy setting allows you to prevent app notifications from appearing on the lock screen.

    - -

    If you enable this policy setting, no app notifications are displayed on the lock screen.

    - -

    If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

    - -**WindowsLogon/DontDisplayNetworkSelectionUI** - -

    This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.

    - -

    If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.

    - -

    If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.

    - - - - - - - diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 497278c57e..5b81c0026b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,15 +1,12 @@ --- title: Policy CSP description: Policy CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Policy CSP @@ -110,6 +107,9 @@ The following diagram shows the Policy configuration service provider in tree fo

    Supported operations are Add and Get. Does not support Delete. +> [!Note] +> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S. +

    @@ -118,6 +118,29 @@ The following diagram shows the Policy configuration service provider in tree fo **AboveLock/AllowActionCenterNotifications** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -131,26 +154,34 @@ The following diagram shows the Policy configuration service provider in tree fo

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AboveLock/AllowCortanaAboveLock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. @@ -159,26 +190,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AboveLock/AllowToasts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow toast notifications above the device lock screen. @@ -189,26 +228,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowAddingNonMicrosoftAccountsManually** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether user is allowed to add non-MSA email accounts. @@ -222,26 +269,34 @@ SKU Support: > [!NOTE] > This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowMicrosoftAccountConnection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. @@ -252,26 +307,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowMicrosoftAccountSignInAssistant** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. @@ -280,27 +343,34 @@ SKU Support: - 0 – Disabled. - 1 (default) – Manual start. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/DomainNamesForEmailSync** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies a list of the domains that are allowed to sync email on the device. @@ -308,22 +378,7 @@ SKU Support:

    The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ActiveXControls/ApprovedInstallationSites** @@ -337,9 +392,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt Note: Wild card characters cannot be used when specifying the host URLs. - - - ADMX Info: @@ -356,8 +408,6 @@ ADMX Info: This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. - - ADMX Info: @@ -374,8 +424,6 @@ ADMX Info: Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. - - ADMX Info: @@ -392,8 +440,6 @@ ADMX Info: Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. - - ADMX Info: @@ -410,8 +456,6 @@ ADMX Info: Enables scripts defined in the package manifest of configuration files that should run. - - ADMX Info: @@ -428,8 +472,6 @@ ADMX Info: Enables a UX to display to the user when a publishing refresh is performed on the client. - - ADMX Info: @@ -456,9 +498,6 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. - - - ADMX Info: @@ -475,8 +514,6 @@ ADMX Info: Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. - - ADMX Info: @@ -493,8 +530,6 @@ ADMX Info: Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. - - ADMX Info: @@ -511,8 +546,6 @@ ADMX Info: Specifies how new packages should be loaded automatically by App-V on a specific computer. - - ADMX Info: @@ -529,8 +562,6 @@ ADMX Info: Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. - - ADMX Info: @@ -547,8 +578,6 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. - - ADMX Info: @@ -565,8 +594,6 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. - - ADMX Info: @@ -601,9 +628,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -638,9 +662,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -675,9 +696,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -712,9 +730,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -749,9 +764,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -768,8 +780,6 @@ ADMX Info: Specifies the path to a valid certificate in the certificate store. - - ADMX Info: @@ -786,8 +796,6 @@ ADMX Info: This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). - - ADMX Info: @@ -804,8 +812,6 @@ ADMX Info: Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. - - ADMX Info: @@ -822,8 +828,6 @@ ADMX Info: Specifies directory where all new applications and updates will be installed. - - ADMX Info: @@ -840,8 +844,6 @@ ADMX Info: Overrides source location for downloading package content. - - ADMX Info: @@ -858,8 +860,6 @@ ADMX Info: Specifies the number of seconds between attempts to reestablish a dropped session. - - ADMX Info: @@ -876,8 +876,6 @@ ADMX Info: Specifies the number of times to retry a dropped session. - - ADMX Info: @@ -894,8 +892,6 @@ ADMX Info: Specifies that streamed package contents will be not be saved to the local hard disk. - - ADMX Info: @@ -912,8 +908,6 @@ ADMX Info: If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache - - ADMX Info: @@ -930,8 +924,6 @@ ADMX Info: Verifies Server certificate revocation status before streaming using HTTPS. - - ADMX Info: @@ -948,8 +940,6 @@ ADMX Info: Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. - - ADMX Info: @@ -963,6 +953,29 @@ ADMX Info: **ApplicationDefaults/DefaultAssociationsConfiguration** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. @@ -1020,27 +1033,34 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z ``` - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowAllTrustedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether non Windows Store apps are allowed. @@ -1052,26 +1072,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowAppStoreAutoUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether automatic update of apps from Windows Store are allowed. @@ -1082,26 +1110,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowDeveloperUnlock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether developer unlock is allowed. @@ -1113,26 +1149,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowGameDVR** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -1146,26 +1190,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowSharedUserAppData** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether multiple users of the same app can share data. @@ -1176,26 +1228,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowStore** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + +

    Specifies whether app store is allowed at the device. @@ -1206,26 +1266,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/ApplicationRestrictions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -1251,26 +1319,34 @@ SKU Support:

    Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/DisableStoreOriginatedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. @@ -1279,26 +1355,34 @@ SKU Support: - 0 (default) – Enable launch of apps. - 1 – Disable launch of apps. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RequirePrivateStoreOnly** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcheck markcheck mark
    + +

    Allows disabling of the retail catalog and only enables the Private store. @@ -1318,26 +1402,34 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RestrictAppDataToSystemVolume** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether application data is restricted to the system drive. @@ -1348,26 +1440,34 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RestrictAppToSystemVolume** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether the installation of applications is restricted to the system drive. @@ -1378,22 +1478,7 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AttachmentManager/DoNotPreserveZoneInformation** @@ -1407,8 +1492,6 @@ If you disable this policy setting, Windows marks file attachments with their zo If you do not configure this policy setting, Windows marks file attachments with their zone information. - - ADMX Info: @@ -1431,8 +1514,6 @@ If you disable this policy setting, Windows shows the check box and Unblock butt If you do not configure this policy setting, Windows hides the check box and Unblock button. - - ADMX Info: @@ -1455,8 +1536,6 @@ If you disable this policy setting, Windows does not call the registered antivir If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. - - ADMX Info: @@ -1470,6 +1549,29 @@ ADMX Info: **Authentication/AllowEAPCertSSO** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1489,26 +1591,34 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Authentication/AllowFastReconnect** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows EAP Fast Reconnect from being attempted for EAP Method TLS. @@ -1519,26 +1629,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Authentication/AllowSecondaryAuthenticationDevice** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. @@ -1549,22 +1667,7 @@ SKU Support:

    The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Autoplay/DisallowAutoplayForNonVolumeDevices** @@ -1576,8 +1679,6 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. - - ADMX Info: @@ -1607,8 +1708,6 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. - - ADMX Info: @@ -1639,8 +1738,6 @@ If you disable or do not configure this policy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - - ADMX Info: @@ -1654,6 +1751,29 @@ ADMX Info: **Bitlocker/EncryptionMethod** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies the BitLocker Drive Encryption method and cipher strength. @@ -1664,26 +1784,34 @@ ADMX Info: - 6 -XTS 128 - 7 - XTS 256 - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowAdvertising** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether the device can send out Bluetooth advertisements. @@ -1696,26 +1824,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowDiscoverableMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether other Bluetooth-enabled devices can discover the device. @@ -1728,26 +1864,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowPrepairing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. @@ -1756,26 +1900,34 @@ SKU Support: - 0 – Not allowed. - 1 (default)– Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/LocalDeviceName** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Sets the local Bluetooth device name. @@ -1783,47 +1935,40 @@ SKU Support:

    If this policy is not set or it is deleted, the default local radio name is used. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/ServicesAllowedList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.

    The default value is an empty string. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowAddressBarDropdown** @@ -1841,14 +1986,34 @@ SKU Support:

    Most restricted value is 0. - - - **Browser/AllowAutofill** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + +

    Specifies whether autofill on websites is allowed. @@ -1866,26 +2031,34 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Save form entries** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowBrowser** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -1902,26 +2075,34 @@ SKU Support:

    When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Browser/AllowCookies** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether cookies are allowed. @@ -1939,25 +2120,34 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Cookies** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **Browser/AllowDeveloperTools** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1972,26 +2162,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowDoNotTrack** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether Do Not Track headers are allowed. @@ -2009,26 +2207,34 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Send Do Not Track requests** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowExtensions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. @@ -2037,26 +2243,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowFlash** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + +

    Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. @@ -2065,26 +2279,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowFlashClickToRun** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. @@ -2093,26 +2315,34 @@ SKU Support: - 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. - 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowInPrivate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether InPrivate browsing is allowed on corporate networks. @@ -2123,22 +2353,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowMicrosoftCompatibilityList** @@ -2156,14 +2371,34 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis

    Most restricted value is 0. - - - **Browser/AllowPasswordManager** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether saving and managing passwords locally on the device is allowed. @@ -2181,26 +2416,34 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowPopups** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + +

    Specifies whether pop-up blocker is allowed or enabled. @@ -2218,22 +2461,7 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Block pop-ups** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowSearchEngineCustomization** @@ -2250,14 +2478,34 @@ SKU Support:

    Most restricted value is 0. - - - **Browser/AllowSearchSuggestionsinAddressBar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether search suggestions are allowed in the address bar. @@ -2268,26 +2516,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowSmartScreen** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether Windows Defender SmartScreen is allowed. @@ -2305,22 +2561,7 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/ClearBrowsingDataOnExit** @@ -2341,9 +2582,6 @@ SKU Support: 2. Close the Microsoft Edge window. 3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. - - - @@ -2367,9 +2605,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -2391,14 +2626,34 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - **Browser/EnterpriseModeSiteList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2411,50 +2666,66 @@ Employees cannot remove these search engines, but they can set any one as the de - Not configured. The device checks for updates from Microsoft Update. - Set to a URL location of the enterprise site list. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/EnterpriseSiteListServiceUrl** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + + > [!IMPORTANT] > This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/FirstRunURL** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -2466,26 +2737,34 @@ SKU Support:

    The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/HomePages** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2499,27 +2778,34 @@ SKU Support: > [!NOTE] > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. - - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventAccessToAboutFlagsInMicrosoftEdge** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + +

    Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -2528,22 +2814,7 @@ SKU Support: - 0 (default) – Users can access the about:flags page in Microsoft Edge. - 1 – Users can't access the about:flags page in Microsoft Edge. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventFirstRunPage** @@ -2558,9 +2829,6 @@ SKU Support:

    Most restricted value is 1. - - - @@ -2576,14 +2844,34 @@ SKU Support:

    Most restricted value is 1. - - - **Browser/PreventSmartScreenPromptOverride** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. @@ -2594,26 +2882,34 @@ SKU Support:

    Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventSmartScreenPromptOverrideForFiles** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. @@ -2622,26 +2918,34 @@ SKU Support: - 0 (default) – Off. - 1 – On. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventUsingLocalHostIPAddressForWebRTC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2654,26 +2958,34 @@ SKU Support: - 0 (default) – The localhost IP address is shown. - 1 – The localhost IP address is hidden. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/SendIntranetTraffictoInternetExplorer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2688,22 +3000,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/SetDefaultSearchEngine** @@ -2725,14 +3022,34 @@ SKU Support:

    Most restricted value is 0. - - - **Browser/ShowMessageWhenOpeningSitesInInternetExplorer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2747,26 +3064,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. @@ -2788,27 +3113,34 @@ SKU Support:

  • Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Camera/AllowCamera** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Disables or enables the camera. @@ -2819,26 +3151,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowBluetooth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to enable Bluetooth or restrict access. @@ -2856,26 +3196,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowCellularData** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + +

    Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. @@ -2885,26 +3233,34 @@ SKU Support: - 1 (default) – Allow the cellular data channel. The user can turn it off. - 2 - Allow the cellular data channel. The user cannot turn it off. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowCellularDataRoaming** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. @@ -2924,26 +3280,34 @@ SKU Support: 2. Click on the SIM (next to the signal strength icon) and select **Properties**. 3. On the Properties page, select **Data roaming options**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowConnectedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -2955,27 +3319,34 @@ SKU Support: - 1 (default) - Allow (CDP service available). - 0 - Disable (CDP service not available). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowNFC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -2990,26 +3361,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowUSBConnection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -3026,26 +3405,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowVPNOverCellular** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies what type of underlying connections VPN is allowed to use. @@ -3056,26 +3443,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowVPNRoamingOverCellular** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Prevents the device from connecting to VPN when the device roams over cellular networks. @@ -3086,22 +3481,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/HardenedUNCPaths** @@ -3111,9 +3491,6 @@ This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. - - - ADMX Info: @@ -3138,8 +3515,6 @@ Note: The user's domain password will be cached in the system vault when using t To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. - - ADMX Info: @@ -3162,8 +3537,6 @@ If you disable or don't configure this policy setting, a domain user can set up Note that the user's domain password will be cached in the system vault when using this feature. - - ADMX Info: @@ -3188,8 +3561,6 @@ By default, the password reveal button is displayed after a user types a passwor The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. - - ADMX Info: @@ -3210,8 +3581,6 @@ If you enable this policy setting, all local administrator accounts on the PC wi If you disable this policy setting, users will always be required to type a user name and password to elevate. - - ADMX Info: @@ -3225,6 +3594,29 @@ ADMX Info: **Cryptography/AllowFipsAlgorithmPolicy** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows the Federal Information Processing Standard (FIPS) policy. @@ -3233,49 +3625,65 @@ ADMX Info: - 0 (default) – Not allowed. - 1– Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Cryptography/TLSCipherSuites** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DataProtection/AllowDirectMemoryAccess** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. @@ -3286,26 +3694,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **DataProtection/LegacySelectiveWipeID** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!IMPORTANT] > This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. @@ -3316,23 +3732,7 @@ SKU Support: > [!NOTE] > This policy is not recommended for use in Windows 10. - - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DataUsage/SetCost3G** @@ -3350,9 +3750,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. - - - ADMX Info: @@ -3379,9 +3776,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. - - - ADMX Info: @@ -3395,6 +3789,29 @@ ADMX Info: **Defender/AllowArchiveScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3407,26 +3824,34 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowBehaviorMonitoring** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3439,26 +3864,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowCloudProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3471,26 +3904,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowEmailScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3503,26 +3944,34 @@ SKU Support: - 0 (default) – Not allowed. - 1 – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowFullScanOnMappedNetworkDrives** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3535,26 +3984,34 @@ SKU Support: - 0 (default) – Not allowed. - 1 – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowFullScanRemovableDriveScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3567,26 +4024,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowIOAVProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3599,26 +4064,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowIntrusionPreventionSystem** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3631,26 +4104,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowOnAccessProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3663,26 +4144,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowRealtimeMonitoring** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3695,26 +4184,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowScanningNetworkFiles** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3727,26 +4224,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowScriptScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3759,26 +4264,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowUserUIAccess** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3791,26 +4304,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AvgCPULoadFactor** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3822,26 +4343,34 @@ SKU Support:

    The default value is 50. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/DaysToRetainCleanedMalware** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3853,26 +4382,34 @@ SKU Support:

    The default value is 0, which keeps items in quarantine, and does not automatically remove them. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ExcludedExtensions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3880,26 +4417,34 @@ SKU Support:  

    llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ExcludedPaths** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3907,26 +4452,34 @@ SKU Support:

    Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ExcludedProcesses** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3940,26 +4493,34 @@ SKU Support:  

    Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/PUAProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3973,26 +4534,34 @@ SKU Support: - 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. - 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/RealTimeScanDirection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4010,26 +4579,34 @@ SKU Support: - 1 – Monitor incoming files. - 2 – Monitor outgoing files. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScanParameter** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4042,26 +4619,34 @@ SKU Support: - 1 (default) – Quick scan - 2 – Full scan - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScheduleQuickScanTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4079,26 +4664,34 @@ SKU Support:

    The default value is 120 - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScheduleScanDay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4122,26 +4715,34 @@ SKU Support: - 7 – Sunday - 8 – No scheduled scan - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScheduleScanTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4159,26 +4760,34 @@ SKU Support:

    The default value is 120. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/SignatureUpdateInterval** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4192,26 +4801,34 @@ SKU Support:

    The default value is 8. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/SubmitSamplesConsent** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4226,26 +4843,34 @@ SKU Support: - 2 – Never send. - 3 – Send all samples automatically. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ThreatSeverityDefaultAction** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4271,26 +4896,34 @@ SKU Support: - 8 – User defined - 10 – Block - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOAbsoluteMaxCacheSize** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4300,26 +4933,34 @@ SKU Support:

    The default value is 10. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOAllowVPNPeerCaching** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4329,27 +4970,34 @@ SKU Support:

    The default value is 0 (FALSE). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DODownloadMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4366,26 +5014,34 @@ SKU Support: - 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. - 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOGroupId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4396,27 +5052,34 @@ SKU Support: > [!NOTE] > You must use a GUID as the group ID. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxCacheAge** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4426,26 +5089,34 @@ SKU Support:

    The default value is 259200 seconds (3 days). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxCacheSize** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4455,26 +5126,34 @@ SKU Support:

    The default value is 20. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxDownloadBandwidth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4484,26 +5163,34 @@ SKU Support:

    The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxUploadBandwidth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4513,26 +5200,34 @@ SKU Support:

    The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinBackgroundQos** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4542,26 +5237,34 @@ SKU Support:

    The default value is 500. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4570,27 +5273,34 @@ SKU Support:

    The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinDiskSizeAllowedToPeer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4603,28 +5313,34 @@ SKU Support:

    The default value is 32 GB. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinFileSizeToCache** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4634,28 +5350,34 @@ SKU Support:

    The default value is 100 MB. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinRAMAllowedToPeer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4665,27 +5387,34 @@ SKU Support:

    The default value is 4 GB. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOModifyCacheDrive** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4695,26 +5424,34 @@ SKU Support:

    By default, %SystemDrive% is used to store the cache. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMonthlyUploadDataCap** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4726,26 +5463,34 @@ SKU Support:

    The default value is 20. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOPercentageMaxDownloadBandwidth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4755,22 +5500,7 @@ SKU Support:

    The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Desktop/PreventUserRedirectionOfProfileFolders** @@ -4782,8 +5512,6 @@ By default, a user can change the location of their individual profile folders l If you enable this setting, users are unable to type a new location in the Target box. - - ADMX Info: @@ -4804,8 +5532,6 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. - - ADMX Info: @@ -4826,8 +5552,6 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. - - ADMX Info: @@ -4841,6 +5565,29 @@ ADMX Info: **DeviceLock/AllowIdleReturnWithoutPassword** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -4857,26 +5604,34 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -4896,27 +5651,34 @@ SKU Support: > [!IMPORTANT] > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. - - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/AllowSimpleDevicePassword** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. @@ -4931,26 +5693,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/AlphanumericDevicePasswordRequired** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). @@ -4973,25 +5743,34 @@ SKU Support:   - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordEnabled** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether device lock is enabled. @@ -5040,26 +5819,34 @@ SKU Support: > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordExpiration** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies when the password expires (in days). @@ -5076,26 +5863,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordHistory** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies how many passwords can be stored in the history that can’t be used. @@ -5114,26 +5909,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/EnforceLockScreenAndLogonImage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. @@ -5143,26 +5946,34 @@ SKU Support:

    Value type is a string, which is the full image filepath and filename. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/EnforceLockScreenProvider** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck mark1check mark1
    + +

    Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. @@ -5172,26 +5983,34 @@ SKU Support:

    Value type is a string, which is the AppID. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/MaxDevicePasswordFailedAttempts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + + The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. @@ -5215,26 +6034,34 @@ The number of authentication failures allowed before the device will be wiped. A

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MaxInactivityTimeDeviceLock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. @@ -5249,26 +6076,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcross markcheck mark2check mark2
    + +

    Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. @@ -5281,27 +6116,34 @@ SKU Support: - An integer X where 0 <= X <= 999. - 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - - - - -SKU Support: -- Home: No -- Pro: No -- Business: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/MinDevicePasswordComplexCharacters** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. @@ -5376,26 +6218,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MinDevicePasswordLength** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies the minimum number or characters required in the PIN or password. @@ -5415,22 +6265,7 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/PreventLockScreenSlideShow** @@ -5442,8 +6277,6 @@ By default, users can enable a slide show that will run after they lock the mach If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. - - ADMX Info: @@ -5457,6 +6290,29 @@ ADMX Info: **DeviceLock/ScreenTimeoutWhileLocked** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -5471,25 +6327,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No - - **Display/TurnOffGdiDPIScalingForApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -5506,27 +6371,34 @@ SKU Support: 1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Display/TurnOnGdiDPIScalingForApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -5543,191 +6415,217 @@ SKU Support: 1. Configure the setting for an app which uses GDI. 2. Run the app and observe crisp text. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintOAuthAuthority** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintOAuthClientId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintResourceId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.

    The datatype is an integer.

    For Windows Mobile, the default value is 20. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/MopriaDiscoveryResourceId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ErrorReporting/CustomizeConsentSettings** @@ -5749,8 +6647,6 @@ If you enable this policy setting, you can add specific event types to a list by If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. - - ADMX Info: @@ -5771,8 +6667,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. - - ADMX Info: @@ -5797,8 +6691,6 @@ If you do not configure this policy setting, users can change this setting in Co See also the Configure Error Reporting policy setting. - - ADMX Info: @@ -5819,8 +6711,6 @@ If you enable this policy setting, any additional data requests from Microsoft i If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. - - ADMX Info: @@ -5841,8 +6731,6 @@ If you enable this policy setting, Windows Error Reporting does not display any If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. - - ADMX Info: @@ -5865,8 +6753,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - ADMX Info: @@ -5887,8 +6773,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -5909,8 +6793,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -5931,8 +6813,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -5946,6 +6826,29 @@ ADMX Info: **Experience/AllowCopyPaste** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -5959,26 +6862,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowCortana** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. @@ -5997,26 +6908,34 @@ SKU Support:

    An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowDeviceDiscovery** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows users to turn on/off device discovery UX. @@ -6029,41 +6948,34 @@ SKU Support:

    Most restricted value is 0. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - - - -**Experience/AllowFindMyDevice** - - -

    Added in Windows 10, version 1703. This policy turns on Find My Device feature. - -

    When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. - -

    When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. - - - - **Experience/AllowManualMDMUnenrollment** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the user to delete the workplace account using the workplace control panel. @@ -6078,26 +6990,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowSIMErrorDialogPromptWhenNoSIM** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6110,26 +7030,34 @@ SKU Support: - 0 – SIM card dialog prompt is not displayed. - 1 (default) – SIM card dialog prompt is displayed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowScreenCapture** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6144,26 +7072,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowSyncMySettings** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). @@ -6172,22 +7108,7 @@ SKU Support: - 0 – Sync settings is not allowed. - 1 (default) – Sync settings allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowTailoredExperiencesWithDiagnosticData** @@ -6209,14 +7130,34 @@ SKU Support:

    Most restricted value is 0. - - - **Experience/AllowTaskSwitcher** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6229,26 +7170,34 @@ SKU Support: - 0 – Task switching not allowed. - 1 (default) – Task switching allowed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowThirdPartySuggestionsInWindowsSpotlight** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -6261,26 +7210,34 @@ SKU Support: - 0 – Third-party suggestions not allowed. - 1 (default) – Third-party suggestions allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowVoiceRecording** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6295,26 +7252,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowWindowsConsumerFeatures** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -6336,26 +7301,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowWindowsSpotlight** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -6370,22 +7343,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowWindowsSpotlightOnActionCenter** @@ -6403,9 +7361,6 @@ SKU Support:

    Most restricted value is 0. - - - @@ -6425,14 +7380,34 @@ The Windows welcome experience feature introduces onboard users to Windows; for

    Most restricted value is 0. - - - **Experience/AllowWindowsTips** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + Enables or disables Windows Tips / soft landing. @@ -6441,26 +7416,34 @@ Enables or disables Windows Tips / soft landing. - 0 – Disabled. - 1 (default) – Enabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/ConfigureWindowsSpotlightOnLockScreen** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -6474,26 +7457,34 @@ SKU Support: - 1 (default) – Windows spotlight enabled. - 2 – placeholder only for future extension. Using this value has no effect. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/DoNotShowFeedbackNotifications** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Prevents devices from showing feedback questions from Microsoft. @@ -6506,22 +7497,7 @@ SKU Support: - 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. - 1 – Feedback notifications are disabled. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Games/AllowAdvancedGamingServices** @@ -6529,9 +7505,6 @@ SKU Support:

    Placeholder only. Currently not supported. - - - @@ -6544,8 +7517,6 @@ If you enable this policy setting, the user can add and remove search providers, If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. - - ADMX Info: @@ -6566,8 +7537,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. - - ADMX Info: @@ -6594,8 +7563,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. - - ADMX Info: @@ -6618,8 +7585,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. - - ADMX Info: @@ -6640,8 +7605,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. - - ADMX Info: @@ -6662,8 +7625,6 @@ If you enable this policy setting, Internet Explorer downloads the website list If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. - - ADMX Info: @@ -6684,8 +7645,6 @@ If you enable this policy setting, the user can add and remove sites from the li If you disable or do not configure this policy setting, the user can add and remove sites from the list. - - ADMX Info: @@ -6707,8 +7666,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. - - ADMX Info: @@ -6735,8 +7692,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6763,8 +7718,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6791,8 +7744,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6819,8 +7770,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6847,8 +7796,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6875,8 +7822,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6903,8 +7848,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6925,8 +7868,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. - - ADMX Info: @@ -6953,8 +7894,6 @@ Value - A number indicating the zone with which this site should be associated f If you disable or do not configure this policy, users may choose their own site-to-zone assignments. - - ADMX Info: @@ -6977,8 +7916,6 @@ If you disable this policy setting, the entry points and functionality associate If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. - - ADMX Info: @@ -7005,8 +7942,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -7033,8 +7968,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -7060,8 +7993,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -7084,8 +8015,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. - - ADMX Info: @@ -7106,8 +8035,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - ADMX Info: @@ -7128,8 +8055,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - ADMX Info: @@ -7152,8 +8077,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t If you do not configure this policy setting, the user can choose to participate in the CEIP. - - ADMX Info: @@ -7174,8 +8097,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. - - ADMX Info: @@ -7198,8 +8119,6 @@ If you disable or do not configure this policy setting, the user can select whic Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. - - ADMX Info: @@ -7224,8 +8143,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. - - ADMX Info: @@ -7250,8 +8167,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. - - ADMX Info: @@ -7272,8 +8187,6 @@ If you enable this policy setting, a user cannot set a custom default home page. If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. - - ADMX Info: @@ -7294,8 +8207,6 @@ If you enable this policy setting, the user will not be able to configure proxy If you disable or do not configure this policy setting, the user can configure proxy settings. - - ADMX Info: @@ -7316,8 +8227,6 @@ If you enable this policy setting, the user cannot change the default search pro If you disable or do not configure this policy setting, the user can change the default search provider. - - ADMX Info: @@ -7340,8 +8249,6 @@ If you disable or do not configure this policy setting, the user can add seconda Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages. - - ADMX Info: @@ -7364,8 +8271,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. - - ADMX Info: @@ -7392,8 +8297,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad Also, see the "Security zones: Use only machine settings" policy. - - ADMX Info: @@ -7420,8 +8323,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm Also, see the "Security zones: Use only machine settings" policy. - - ADMX Info: @@ -7444,8 +8345,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - ADMX Info: @@ -7472,8 +8371,6 @@ If you disable or don't configure this policy setting, the list is deleted and I For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - ADMX Info: @@ -7496,8 +8393,6 @@ If you disable this policy setting, local sites which are not explicitly mapped If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. - - ADMX Info: @@ -7520,8 +8415,6 @@ If you disable this policy setting, network paths are not necessarily mapped int If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. - - ADMX Info: @@ -7544,8 +8437,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -7568,8 +8459,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -7590,8 +8479,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -7614,8 +8501,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -7638,8 +8523,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - ADMX Info: @@ -7662,8 +8545,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -7686,8 +8567,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -7712,8 +8591,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -7736,8 +8613,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -7762,8 +8637,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -7786,8 +8659,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -7810,8 +8681,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -7834,8 +8703,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -7856,8 +8723,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -7880,8 +8745,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -7904,8 +8767,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - ADMX Info: @@ -7928,8 +8789,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -7952,8 +8811,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -7978,8 +8835,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8002,8 +8857,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8028,8 +8881,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -8052,8 +8903,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8076,8 +8925,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8100,8 +8947,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -8122,8 +8967,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -8146,8 +8989,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8170,8 +9011,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8194,8 +9033,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -8218,8 +9055,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -8244,8 +9079,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8268,8 +9101,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8294,8 +9125,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - ADMX Info: @@ -8318,8 +9147,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8342,8 +9169,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8366,8 +9191,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -8388,8 +9211,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -8412,8 +9233,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8436,8 +9255,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8460,8 +9277,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -8484,8 +9299,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -8510,8 +9323,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8534,8 +9345,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8560,8 +9369,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -8584,8 +9391,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8608,8 +9413,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8632,8 +9435,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -8654,8 +9455,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -8678,8 +9477,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8702,8 +9499,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8726,8 +9521,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -8750,8 +9543,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -8776,8 +9567,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8800,8 +9589,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8826,8 +9613,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -8850,8 +9635,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8874,8 +9657,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8898,8 +9679,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -8920,8 +9699,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -8944,8 +9721,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8968,8 +9743,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8992,8 +9765,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9016,8 +9787,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9042,8 +9811,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9066,8 +9833,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9092,8 +9857,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9116,8 +9879,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -9140,8 +9901,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9164,8 +9923,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9186,8 +9943,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9210,8 +9965,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - ADMX Info: @@ -9234,8 +9987,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -9258,8 +10009,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9282,8 +10031,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9308,8 +10055,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9332,8 +10077,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9358,8 +10101,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9382,8 +10123,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - ADMX Info: @@ -9406,8 +10145,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9430,8 +10167,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9452,8 +10187,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9476,8 +10209,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -9500,8 +10231,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -9524,8 +10253,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9548,8 +10275,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9574,8 +10299,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9598,8 +10321,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9624,8 +10345,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9648,8 +10367,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -9672,8 +10389,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9696,8 +10411,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9718,8 +10431,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9742,8 +10453,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - ADMX Info: @@ -9766,8 +10475,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -9790,8 +10497,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9814,8 +10519,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9840,8 +10543,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9864,8 +10565,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9890,8 +10589,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9914,8 +10611,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - ADMX Info: @@ -9936,8 +10631,6 @@ If you enable this policy setting, the user cannot configure the list of search If you disable or do not configure this policy setting, the user can configure his or her list of search providers. - - ADMX Info: @@ -9960,8 +10653,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9984,8 +10675,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -10006,8 +10695,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -10030,8 +10717,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -10054,8 +10739,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. - - ADMX Info: @@ -10078,8 +10761,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -10102,8 +10783,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -10128,8 +10807,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -10152,8 +10829,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -10178,8 +10853,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - ADMX Info: @@ -10202,8 +10875,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -10224,8 +10895,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - ADMX Info: @@ -10244,9 +10913,6 @@ If you enable this policy setting, the client computers will request claims, pro If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - - ADMX Info: @@ -10271,9 +10937,6 @@ Note: The Kerberos Group Policy "Kerberos client support for claims, compound au If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - - ADMX Info: @@ -10294,9 +10957,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - - ADMX Info: @@ -10321,10 +10981,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - - - ADMX Info: @@ -10338,6 +10994,29 @@ ADMX Info: **Licensing/AllowWindowsEntitlementReactivation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. @@ -10346,26 +11025,34 @@ ADMX Info: - 0 – Disable Windows license reactivation on managed devices. - 1 (default) – Enable Windows license reactivation on managed devices. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Licensing/DisallowKMSClientOnlineAVSValidation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. @@ -10374,26 +11061,34 @@ SKU Support: - 0 (default) – Disabled. - 1 – Enabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Location/EnableLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. @@ -10410,26 +11105,34 @@ SKU Support: 1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. 2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **LockDown/AllowEdgeSwipe** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. @@ -10440,26 +11143,34 @@ SKU Support:

    The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Maps/AllowOfflineMapsDownloadOverMeteredConnection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. @@ -10471,26 +11182,34 @@ SKU Support:

    After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Maps/EnableOfflineMapsAutoUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Disables the automatic download and update of map data. @@ -10502,22 +11221,7 @@ SKU Support:

    After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Messaging/AllowMMS** @@ -10533,14 +11237,34 @@ SKU Support: - 0 - Disabled. - 1 (default) - Enabled. - - - **Messaging/AllowMessageSync** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck mark1check mark1
    + +

    Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. @@ -10549,22 +11273,7 @@ SKU Support: - 0 - message sync is not allowed and cannot be changed by the user. - 1 - message sync is allowed. The user can change this setting. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Messaging/AllowRCS** @@ -10580,37 +11289,65 @@ SKU Support: - 0 - Disabled. - 1 (default) - Enabled. - - - **NetworkIsolation/EnterpriseCloudResources** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseIPRange** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: @@ -10623,72 +11360,96 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ``` - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseIPRangesAreAuthoritative** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseInternalProxyServers** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseNetworkDomainNames** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". @@ -10702,95 +11463,127 @@ SKU Support: 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseProxyServers** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseProxyServersAreAuthoritative** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/NeutralResources** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    List of domain names that can used for work or personal resource. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Notifications/DisallowNotificationMirroring** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. @@ -10803,22 +11596,7 @@ SKU Support: - 0 (default)– enable notification mirroring. - 1 – disable notification mirroring. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Power/AllowStandbyWhenSleepingPluggedIn** @@ -10830,8 +11608,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat If you disable this policy setting, standby states (S1-S3) are not allowed. - - ADMX Info: @@ -10852,8 +11628,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - ADMX Info: @@ -10874,8 +11648,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - ADMX Info: @@ -10909,8 +11681,6 @@ If you disable this policy setting: -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - ADMX Info: @@ -10944,8 +11714,6 @@ If you disable this policy setting: -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - ADMX Info: @@ -10967,8 +11735,6 @@ If you disable this setting, this computer's shared printers cannot be published Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". - - ADMX Info: @@ -10982,6 +11748,29 @@ ADMX Info: **Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check markcheck mark
    + +

    Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. @@ -10992,26 +11781,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/AllowInputPersonalization** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. @@ -11023,25 +11820,34 @@ SKU Support:

    Most restricted value is 0.   - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/DisableAdvertisingId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Enables or disables the Advertising ID. @@ -11053,26 +11859,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. @@ -11084,95 +11898,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. @@ -11184,95 +12030,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. @@ -11284,95 +12162,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. @@ -11384,95 +12294,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. @@ -11484,95 +12426,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access email. @@ -11584,95 +12558,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access location. @@ -11684,95 +12690,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). @@ -11784,95 +12822,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. @@ -11884,95 +12954,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. @@ -11984,95 +13086,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. @@ -12084,95 +13218,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. @@ -12184,95 +13350,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. @@ -12284,187 +13482,251 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. @@ -12476,95 +13738,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. @@ -12576,95 +13870,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. @@ -12678,95 +14004,127 @@ SKU Support: > [!WARNING] > Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. @@ -12778,91 +14136,100 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **RemoteAssistance/CustomizeWarningMessages** @@ -12880,8 +14247,6 @@ If you disable this policy setting, the user sees the default warning message. If you do not configure this policy setting, the user sees the default warning message. - - ADMX Info: @@ -12904,8 +14269,6 @@ If you disable this policy setting, log files are not generated. If you do not configure this setting, application-based settings are used. - - ADMX Info: @@ -12936,8 +14299,6 @@ The "Select the method for sending email invitations" setting specifies which em If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. - - ADMX Info: @@ -12991,8 +14352,6 @@ Port 135:TCP %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe Allow Remote Desktop Exception - - ADMX Info: @@ -13018,9 +14377,6 @@ Note: You can limit which clients are able to connect remotely by using Remote D You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. - - - ADMX Info: @@ -13051,9 +14407,6 @@ Important FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. - - - ADMX Info: @@ -13078,9 +14431,6 @@ If you disable this policy setting, client drive redirection is always allowed. If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. - - - ADMX Info: @@ -13101,8 +14451,6 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. - - ADMX Info: @@ -13129,9 +14477,6 @@ If you disable this policy setting, users can always log on to Remote Desktop Se If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. - - - ADMX Info: @@ -13158,8 +14503,6 @@ If the status is set to Not Configured, unsecured communication is allowed. Note: The RPC interface is used for administering and configuring Remote Desktop Services. - - ADMX Info: @@ -13184,8 +14527,6 @@ If you do not configure this policy setting, it remains disabled. RPC clients w Note: This policy will not be applied until the system is rebooted. - - ADMX Info: @@ -13218,8 +14559,6 @@ If you enable this policy setting, it directs the RPC server runtime to restrict Note: This policy setting will not be applied until the system is rebooted. - - ADMX Info: @@ -13233,6 +14572,29 @@ ADMX Info: **Search/AllowIndexingEncryptedStoresOrItems** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. @@ -13247,26 +14609,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/AllowSearchToUseLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether search can leverage location information. @@ -13277,26 +14647,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **Search/AllowUsingDiacritics** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the use of diacritics. @@ -13307,26 +14685,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/AlwaysUseAutoLangDetection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to always use automatic language detection when indexing content and properties. @@ -13337,26 +14723,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/DisableBackoff** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. @@ -13365,26 +14759,34 @@ SKU Support: - 0 (default) – Disable. - 1 – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/DisableRemovableDriveIndexing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This policy setting configures whether or not locations on removable drives can be added to libraries. @@ -13397,26 +14799,34 @@ SKU Support: - 0 (default) – Disable. - 1 – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/PreventIndexingLowDiskSpaceMB** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB. @@ -13429,26 +14839,34 @@ SKU Support: - 0 – Disable. - 1 (default) – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/PreventRemoteQueries** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. @@ -13457,26 +14875,34 @@ SKU Support: - 0 – Disable. - 1 (default) – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/SafeSearchPermissions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -13491,26 +14917,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowAddProvisioningPackage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the runtime configuration agent to install provisioning packages. @@ -13519,26 +14953,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy has been deprecated in Windows 10, version 1607 @@ -13556,26 +14998,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowManualRootCertificateInstallation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -13590,26 +15040,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowRemoveProvisioningPackage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the runtime configuration agent to remove provisioning packages. @@ -13618,26 +15076,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/AntiTheftMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -13650,26 +15116,34 @@ SKU Support: - 0 – Don't allow Anti Theft Mode. - 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent). - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13684,26 +15158,34 @@ SKU Support: - 0 (default) – Encryption enabled. - 1 – Encryption disabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/RequireDeviceEncryption** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**. @@ -13720,27 +15202,34 @@ SKU Support: > [!IMPORTANT] > If encryption has been enabled, it cannot be turned off by using this policy. - - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Security/RequireProvisioningPackageSignature** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether provisioning packages must have a certificate signed by a device trusted authority. @@ -13749,26 +15238,34 @@ SKU Support: - 0 (default) – Not required. - 1 – Required. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/RequireRetrieveHealthCertificateOnBoot** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. @@ -13788,26 +15285,34 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowAutoPlay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13823,27 +15328,34 @@ SKU Support: > [!NOTE] > Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowDataSense** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to change Data Sense settings. @@ -13852,26 +15364,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowDateTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to change date and time settings. @@ -13880,26 +15400,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowEditDeviceName** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck mark1check mark1
    + +

    Allows editing of the device name. @@ -13908,26 +15436,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowLanguage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13940,26 +15476,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowPowerSleep** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13972,26 +15516,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowRegion** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14004,26 +15556,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowSignInOptions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14036,26 +15596,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowVPN** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to change VPN settings. @@ -14064,26 +15632,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowWorkplace** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14096,26 +15672,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowYourAccount** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows user to change account settings. @@ -14124,26 +15708,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/ConfigureTaskbarCalendar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. @@ -14154,27 +15746,34 @@ SKU Support: - 2 - Simplified Chinese (Lunar). - 3 - Traditional Chinese (Lunar). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/PageVisibilityList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. @@ -14208,27 +15807,34 @@ SKU Support: 2. Configure the policy with the following string: "hide:about". 3. Open System Settings again and verify that the About page is no longer accessible. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/EnableAppInstallControl** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. @@ -14237,27 +15843,34 @@ SKU Support: - 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. - 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/EnableSmartScreenInShell** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. @@ -14266,27 +15879,34 @@ SKU Support: - 0 – Turns off SmartScreen in Windows. - 1 – Turns on SmartScreen in Windows. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/PreventOverrideForFilesInShell** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. @@ -14295,27 +15915,34 @@ SKU Support: - 0 – Employees can ignore SmartScreen warnings and run malicious files. - 1 – Employees cannot ignore SmartScreen warnings and run malicious files. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Speech/AllowSpeechModelUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). @@ -14324,26 +15951,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Start/ForceStartSize** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14359,22 +15994,7 @@ SKU Support:

    If there is policy configuration conflict, the latest configuration request is applied to the device. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Start/HideAppList** @@ -14399,9 +16019,6 @@ SKU Support: - 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. - 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. - - - @@ -14420,9 +16037,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify that "Change account settings" is not available. - - - @@ -14448,9 +16062,6 @@ SKU Support: 5. Check that "Show most used apps" Settings toggle is grayed out. 6. Check that most used apps do not appear in Start. - - - @@ -14472,9 +16083,6 @@ SKU Support: > [!NOTE] > This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. - - - @@ -14493,9 +16101,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify "Lock" is not available. - - - @@ -14517,9 +16122,6 @@ SKU Support: 1. Enable policy. 2. Open Start, and verify the power button is not available. - - - @@ -14548,9 +16150,6 @@ SKU Support: 8. Repeat Step 2. 9. Right Click pinned photos app and verify that there is no jumplist of recent items. - - - @@ -14576,9 +16175,6 @@ SKU Support: 5. Check that "Show recently added apps" Settings toggle is grayed out. 6. Check that recently added apps do not appear in Start. - - - @@ -14597,9 +16193,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. - - - @@ -14618,9 +16211,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. - - - @@ -14639,9 +16229,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify "Sign out" is not available. - - - @@ -14660,9 +16247,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the Power button, and verify that "Sleep" is not available. - - - @@ -14681,9 +16265,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify that "Switch account" is not available. - - - @@ -14706,9 +16287,6 @@ SKU Support: 2. Log off. 3. Log in, and verify that the user tile is gone from Start. - - - @@ -14732,9 +16310,6 @@ SKU Support: 3. Sign out/in. 4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. - - - @@ -14756,14 +16331,34 @@ SKU Support: 4. Open Start and right click on one of the app list icons. 5. Verify that More->Pin to taskbar menu does not show. - - - **Start/StartLayout** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + > [!IMPORTANT] > This node is set on a per-user basis and must be accessed using the following paths: @@ -14780,22 +16375,7 @@ SKU Support:

    This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Storage/EnhancedStorageDevices** @@ -14807,8 +16387,6 @@ If you enable this policy setting, Windows will not activate unactivated Enhance If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. - - ADMX Info: @@ -14822,6 +16400,29 @@ ADMX Info: **System/AllowBuildPreview** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + + > [!NOTE] > This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. @@ -14837,26 +16438,34 @@ ADMX Info: - 1 – Allowed. Users can make their devices available for downloading and installing preview software. - 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowEmbeddedMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether set general purpose device to be in embedded mode. @@ -14867,25 +16476,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **System/AllowExperimentation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + + > [!NOTE] > This policy is not supported in Windows 10, version 1607. @@ -14900,26 +16518,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowFontProviders** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. @@ -14939,26 +16565,34 @@ SKU Support: - After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **System/AllowLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow app access to the Location service. @@ -14976,26 +16610,34 @@ SKU Support:

    For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowStorageCard** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. @@ -15006,26 +16648,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **System/AllowTelemetry** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow the device to send diagnostic and usage telemetry data, such as Watson. @@ -15091,26 +16741,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowUserToResetPhone** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. @@ -15121,22 +16779,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/BootStartDriverInitialization** @@ -15144,8 +16787,6 @@ SKU Support: N/A - - ADMX Info: @@ -15159,6 +16800,29 @@ ADMX Info: **System/DisableOneDriveFileSync** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: @@ -15181,23 +16845,7 @@ ADMX Info: 2. Restart machine. 3. Verify that OneDrive.exe is not running in Task Manager. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/DisableSystemRestore** @@ -15215,8 +16863,6 @@ If you disable or do not configure this policy setting, users can perform System Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - ADMX Info: @@ -15230,31 +16876,62 @@ ADMX Info: **System/TelemetryProxy** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.

    If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **TextInput/AllowIMELogging** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15269,26 +16946,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowIMENetworkAccess** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15303,26 +16988,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowInputPanel** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15337,26 +17030,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseIMESurrogatePairCharacters** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15371,26 +17072,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseIVSCharacters** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15405,26 +17114,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseNonPublishingStandardGlyph** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15439,26 +17156,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseUserDictionary** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15473,26 +17198,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowKeyboardTextSuggestions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15512,23 +17245,7 @@ SKU Support: 2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. 3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowKoreanExtendedHanja** @@ -15536,14 +17253,34 @@ SKU Support:

    This policy has been deprecated. - - - **TextInput/AllowLanguageFeaturesUninstall** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15558,26 +17295,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/ExcludeJapaneseIMEExceptJIS0208** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15590,26 +17335,34 @@ SKU Support: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 are filtered. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15622,26 +17375,34 @@ SKU Support: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 and EUDC are filtered. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/ExcludeJapaneseIMEExceptShiftJIS** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15654,22 +17415,7 @@ SKU Support: - 0 (default) – No characters are filtered. - 1 – All characters except ShiftJIS are filtered. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TimeLanguageSettings/AllowSet24HourClock** @@ -15682,14 +17428,34 @@ SKU Support: - 0 – Locale default setting. - 1 (default) – Set 24 hour clock. - - - **Update/ActiveHoursEnd** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15704,22 +17470,7 @@ SKU Support:

    The default is 17 (5 PM). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/ActiveHoursMaxRange** @@ -15735,14 +17486,34 @@ SKU Support:

    The default value is 18 (hours). - - - **Update/ActiveHoursStart** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15757,26 +17528,34 @@ SKU Support:

    The default value is 8 (8 AM). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowAutoUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15801,26 +17580,34 @@ SKU Support:

    If the policy is not configured, end-users get the default behavior (Auto install and restart). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowMUUpdateService** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education @@ -15833,26 +17620,34 @@ SKU Support: - 0 – Not allowed or not configured. - 1 – Allowed. Accepts updates received through Microsoft Update. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowNonMicrosoftSignedUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15869,26 +17664,34 @@ SKU Support:

    This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowUpdateService** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15908,23 +17711,7 @@ SKU Support: > [!NOTE] > This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/AutoRestartNotificationSchedule** @@ -15940,9 +17727,6 @@ SKU Support:

    The default value is 15 (minutes). - - - @@ -15960,14 +17744,34 @@ SKU Support: - 1 (default) – Auto Dismissal. - 2 – User Dismissal. - - - **Update/BranchReadinessLevel** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15980,26 +17784,34 @@ SKU Support: - 16 (default) – User gets all applicable upgrades from Current Branch (CB). - 32 – User gets upgrades from Current Branch for Business (CBB). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferFeatureUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16012,26 +17824,34 @@ SKU Support: > [!IMPORTANT] > The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferQualityUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16041,26 +17861,34 @@ SKU Support:

    Supported values are 0-30. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferUpdatePeriod** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16132,27 +17960,34 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferUpgradePeriod** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16170,46 +18005,38 @@ SKU Support:

    If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/DetectionFrequency** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/EngagedRestartDeadline** @@ -16225,9 +18052,6 @@ SKU Support:

    The default value is 0 days (not specified). - - - @@ -16244,9 +18068,6 @@ SKU Support:

    The default value is 3 days. - - - @@ -16263,14 +18084,34 @@ SKU Support:

    The default value is 7 days. - - - **Update/ExcludeWUDriversInQualityUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16283,27 +18124,34 @@ SKU Support: - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/FillEmptyContentUrls** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2cross markcheck mark2check mark2cross markcross mark
    + +

    Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). @@ -16315,27 +18163,34 @@ SKU Support: - 0 (default) – Disabled. - 1 – Enabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/IgnoreMOAppDownloadLimit** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -16357,28 +18212,34 @@ SKU Support: 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/IgnoreMOUpdateDownloadLimit** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -16398,28 +18259,34 @@ SKU Support: 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseDeferrals** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16438,26 +18305,34 @@ SKU Support:

    If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseFeatureUpdates** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16471,51 +18346,67 @@ SKU Support: - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseFeatureUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.

    Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseQualityUpdates** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16527,51 +18418,67 @@ SKU Support: - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseQualityUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.

    Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/RequireDeferUpgrade** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16586,26 +18493,34 @@ SKU Support: - 0 (default) – User gets upgrades from Current Branch. - 1 – User gets upgrades from Current Branch for Business. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/RequireUpdateApproval** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16625,22 +18540,7 @@ SKU Support: - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/ScheduleImminentRestartWarning** @@ -16656,9 +18556,6 @@ SKU Support:

    The default value is 15 (minutes). - - - @@ -16675,14 +18572,34 @@ SKU Support:

    The default value is 4 (hours). - - - **Update/ScheduledInstallDay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16705,26 +18622,34 @@ SKU Support: - 6 – Friday - 7 – Saturday - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/ScheduledInstallTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16740,22 +18665,7 @@ SKU Support:

    The default value is 3. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/SetAutoRestartNotificationDisable** @@ -16772,14 +18682,34 @@ SKU Support: - 0 (default) – Enabled - 1 – Disabled - - - **Update/SetEDURestart** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. @@ -16788,27 +18718,34 @@ SKU Support: - 0 - not configured - 1 - configured - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/UpdateServiceUrl** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16843,26 +18780,34 @@ Example ``` - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/UpdateServiceUrlAlternate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -16879,22 +18824,7 @@ SKU Support: > If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WiFi/AllowWiFiHotSpotReporting** @@ -16902,14 +18832,34 @@ SKU Support:

    This policy has been deprecated. - - - **Wifi/AllowAutoConnectToWiFiSenseHotspots** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow or disallow the device to automatically connect to Wi-Fi hotspots. @@ -16920,26 +18870,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/AllowInternetSharing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow or disallow internet sharing. @@ -16950,26 +18908,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Wifi/AllowManualWiFiConfiguration** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check markcheck mark
    + +

    Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. @@ -16983,27 +18949,34 @@ SKU Support: > [!NOTE] > Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/AllowWiFi** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check markcheck mark
    + +

    Allow or disallow WiFi connection. @@ -17014,53 +18987,68 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Wifi/AllowWiFiDirect** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allow WiFi Direct connection.. - 0 - WiFi Direct connection is not allowed. - 1 - WiFi Direct connection is allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/WLANScanMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. @@ -17070,26 +19058,34 @@ SKU Support:

    Supported operations are Add, Delete, Get, and Replace. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. @@ -17098,26 +19094,34 @@ SKU Support: - 0 - app suggestions are not allowed. - 1 (default) -allow app suggestions. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WindowsInkWorkspace/AllowWindowsInkWorkspace** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. @@ -17127,22 +19131,7 @@ SKU Support: - 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. - 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WindowsLogon/DisableLockScreenAppNotifications** @@ -17154,8 +19143,6 @@ If you enable this policy setting, no app notifications are displayed on the loc If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. - - ADMX Info: @@ -17176,8 +19163,6 @@ If you enable this policy setting, the PC's network connectivity state cannot be If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. - - ADMX Info: @@ -17191,6 +19176,29 @@ ADMX Info: **WindowsLogon/HideFastUserSwitching** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. @@ -17204,80 +19212,102 @@ ADMX Info: 1. Enable policy. 2. Verify that the Switch account button in Start is hidden. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionFromPC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. - 0 - your PC cannot discover or project to other devices. - 1 - your PC can discover and project to other devices - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionFromPCOverInfrastructure** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. - 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. - 1 - your PC can discover and project to other devices over infrastructure. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionToPC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. @@ -17288,49 +19318,41 @@ SKU Support: - 0 - projection to PC is not allowed. Always off and the user cannot enable it. - 1 (default) - projection to PC is allowed. Enabled only above the lock screen. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionToPCOverInfrastructure** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. - 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. - 1 - your PC is discoverable and other devices can project to it over infrastructure. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** @@ -17338,19 +19360,34 @@ SKU Support:

    Added in Windows 10, version 1703. - - - - -SKU Support: -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/RequirePinForPairing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. @@ -17361,25 +19398,91 @@ SKU Support: - 0 (default) - PIN is not required. - 1 - PIN is required. - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - -

    + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. + + +## IoT Core Support + +[ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +[Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +[Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +[Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +[Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +[Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +[Browser/AllowAutofill](#browser-allowautofill) +[Browser/AllowBrowser](#browser-allowbrowser) +[Browser/AllowCookies](#browser-allowcookies) +[Browser/AllowDoNotTrack](#browser-allowdonottrack) +[Browser/AllowInPrivate](#browser-allowinprivate) +[Browser/AllowPasswordManager](#browser-allowpasswordmanager) +[Browser/AllowPopups](#browser-allowpopups) +[Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +[Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) +[Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) +[Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) +[Camera/AllowCamera](#camera-allowcamera) +[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +[Connectivity/AllowNFC](#connectivity-allownfc) +[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +[Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) +[Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) +[DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) +[Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) +[Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) +[Security/RequireDeviceEncryption](#security-requiredeviceencryption) +[Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +[System/AllowEmbeddedMode](#system-allowembeddedmode) +[System/AllowStorageCard](#system-allowstoragecard) +[System/TelemetryProxy](#system-telemetryproxy) +[Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) +[Update/AllowUpdateService](#update-allowupdateservice) +[Update/PauseDeferrals](#update-pausedeferrals) +[Update/RequireDeferUpgrade](#update-requiredeferupgrade) +[Update/RequireUpdateApproval](#update-requireupdateapproval) +[Update/ScheduledInstallDay](#update-scheduledinstallday) +[Update/ScheduledInstallTime](#update-scheduledinstalltime) +[Update/UpdateServiceUrl](#update-updateserviceurl) +[Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) +[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +[Wifi/AllowWiFi](#wifi-allowwifi) +[Wifi/WLANScanMode](#wifi-wlanscanmode) + + + +## Can be set using Exchange Active Sync (EAS) + +[Browser/AllowBrowser](#browser-allowbrowser) +[Camera/AllowCamera](#camera-allowcamera) +[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +[Security/RequireDeviceEncryption](#security-requiredeviceencryption) +[System/AllowStorageCard](#system-allowstoragecard) +[System/TelemetryProxy](#system-telemetryproxy) +[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +[Wifi/AllowWiFi](#wifi-allowwifi) + + ## Examples diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 3edb63ebe7..3a2d11e3db 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -1,15 +1,12 @@ --- title: Policy DDF file description: Policy DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Policy DDF file diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md index c20fa69027..8124940a17 100644 --- a/windows/client-management/mdm/policymanager-csp.md +++ b/windows/client-management/mdm/policymanager-csp.md @@ -1,15 +1,12 @@ --- title: PolicyManager CSP description: PolicyManager CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # PolicyManager CSP diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index 9d7fe6b775..9ae10f0f2c 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -1,15 +1,12 @@ --- title: Provisioning CSP description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 5D6C17BE-727A-4AFA-9F30-B34C1EA1D2AE -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Provisioning CSP diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md index 2c69cb99be..65e4ceb727 100644 --- a/windows/client-management/mdm/proxy-csp.md +++ b/windows/client-management/mdm/proxy-csp.md @@ -1,15 +1,12 @@ --- title: PROXY CSP description: PROXY CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # PROXY CSP diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index ae58089129..e34d5f94f2 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -4,15 +4,12 @@ description: The DMClient CSP supports the ability to configure push-initiated d MS-HAID: - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 9031C4FE-212A-4481-A1B0-4C3190B388AE -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 16e33e0a5e..d3391b6066 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -1,15 +1,12 @@ --- title: PXLOGICAL configuration service provider description: PXLOGICAL configuration service provider -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # PXLOGICAL configuration service provider diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 8b7546365e..6180829e89 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -1,15 +1,12 @@ --- title: Reboot CSP description: Reboot CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 4E3F1225-BBAD-40F5-A1AB-FF221B6BAF48 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Reboot CSP diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 1854905947..714d7255ec 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -1,15 +1,12 @@ --- title: Reboot DDF file description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ABBD850C-E744-462C-88E7-CA3F43D80DB1 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Reboot DDF file diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index 8f29cf0f62..ee5bc80e60 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -1,15 +1,12 @@ --- title: Reclaim seat from user description: The Reclaim seat from user operation returns reclaimed seats for a user in the Windows Store for Business. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Reclaim seat from user diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index 0b4b04eb62..344a2176e6 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -1,15 +1,12 @@ --- title: Register your free Azure Active Directory subscription description: If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 97DCD303-BB11-4AFF-84FE-B7F14CDF64F7 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Register your free Azure Active Directory subscription diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md index fdd8e867f6..3874d0f2d7 100644 --- a/windows/client-management/mdm/registry-csp.md +++ b/windows/client-management/mdm/registry-csp.md @@ -1,15 +1,12 @@ --- title: Registry CSP description: Registry CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Registry CSP diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md index 179ce9f272..5ee429e5ca 100644 --- a/windows/client-management/mdm/registry-ddf-file.md +++ b/windows/client-management/mdm/registry-ddf-file.md @@ -1,15 +1,12 @@ --- title: Registry DDF file description: Registry DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Registry DDF file diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index f11afd65e5..29447d3ed2 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -1,15 +1,12 @@ --- title: RemoteFind CSP description: The RemoteFind configuration service provider retrieves the location information for a particular device. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 2EB02824-65BF-4B40-A338-672D219AF5A0 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteFind CSP diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index 746dc26f77..c30856f87d 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -1,15 +1,12 @@ --- title: RemoteFind DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 5864CBB8-2030-459E-BCF6-9ACB69206FEA -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteFind DDF file diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 6afa9644ad..1ac58b24af 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -1,15 +1,12 @@ --- title: RemoteLock CSP description: RemoteLock CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteLock CSP diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md index 186a01cf7e..1f09e6508c 100644 --- a/windows/client-management/mdm/remotelock-ddf-file.md +++ b/windows/client-management/mdm/remotelock-ddf-file.md @@ -1,15 +1,12 @@ --- title: RemoteLock DDF file description: RemoteLock DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteLock DDF file diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 9e472ec2d6..4f16070cb7 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -1,15 +1,12 @@ --- title: RemoteRing CSP description: RemoteRing CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteRing CSP diff --git a/windows/client-management/mdm/remotering-ddf-file.md b/windows/client-management/mdm/remotering-ddf-file.md index 388027a75e..8d690e645e 100644 --- a/windows/client-management/mdm/remotering-ddf-file.md +++ b/windows/client-management/mdm/remotering-ddf-file.md @@ -1,15 +1,12 @@ --- title: RemoteRing DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteRing configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 6815267F-212B-4370-8B72-A457E8000F7B -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteRing DDF file diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 5d39d7b7b5..81a742eab8 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -1,15 +1,12 @@ --- title: RemoteWipe CSP description: RemoteWipe CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 6e89bd37-7680-4940-8a67-11ed062ffb70 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteWipe CSP diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index 8bcac9fb38..fa91cdb835 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -1,15 +1,12 @@ --- title: RemoteWipe DDF file description: RemoteWipe DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 10ec4fb7-f911-4d0c-9a8f-e96bf5faea0c -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RemoteWipe DDF file diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index 498de35717..83d3d3f5b5 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -1,15 +1,12 @@ --- title: Reporting CSP description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 148441A6-D9E1-43D8-ADEE-FB62E85A39F7 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Reporting CSP diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index 97a063b1d3..ff3de3aab3 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -1,15 +1,12 @@ --- title: Reporting DDF file description: This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 7A5B79DB-9571-4F7C-ABED-D79CD08C1E35 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Reporting DDF file diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index 7f7b8824d9..87ad349555 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -4,15 +4,12 @@ description: REST API reference for Windows Store for Business MS-HAID: - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 8C48A879-525A-471F-B0FD-506E743A7D2F -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # REST API reference for Windows Store for Business diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 669dbc6dab..ae0852dd78 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -1,15 +1,12 @@ --- title: RootCATrustedCertificates CSP description: RootCATrustedCertificates CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: F2F25DEB-9DB3-40FB-BC3C-B816CE470D61 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RootCATrustedCertificates CSP diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index b9af3d73bd..e825e38ead 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -1,15 +1,12 @@ --- title: RootCATrustedCertificates DDF file description: RootCATrustedCertificates DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 06D8787B-D3E1-4D4B-8A21-8045A8F85C1C -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # RootCATrustedCertificates DDF file diff --git a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md index 8af994de2c..8ab213e4cf 100644 --- a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md @@ -1,15 +1,12 @@ --- title: Samples for writing a custom configuration service provider description: Samples for writing a custom configuration service provider -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ccda4d62-7ce1-483b-912f-25d50c974270 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Samples for writing a custom configuration service provider diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index e94006221c..8f671e0d21 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -1,15 +1,12 @@ --- title: SecureAssessment CSP description: SecureAssessment CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 6808BE4B-961E-4638-BF15-FD7841D1C00A -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SecureAssessment CSP diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index fa93e99ad4..57601f53e0 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -1,15 +1,12 @@ --- title: SecureAssessment DDF file description: This topic shows the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 68D17F2A-FAEA-4608-8727-DBEC1D7BE48A -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SecureAssessment DDF file diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 6fc15e30bb..28e87b7c43 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -1,15 +1,12 @@ --- title: SecurityPolicy CSP description: SecurityPolicy CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 6014f8fe-f91b-49f3-a357-bdf625545bc9 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SecurityPolicy CSP diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index bc372c4f37..0ced05ef07 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -4,15 +4,12 @@ description: Server requirements for using OMA DM to manage Windows devices MS-HAID: - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 5b90b631-62a6-4949-b53a-01275fd304b2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Server requirements for using OMA DM to manage Windows devices diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index fd508bddc8..e8b16b4a18 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -1,15 +1,12 @@ --- title: SharedPC CSP description: SharedPC CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SharedPC CSP diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index fe6259624e..e666ac45e9 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -1,15 +1,12 @@ --- title: SharedPC DDF file description: SharedPC DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 70234197-07D4-478E-97BB-F6C651C0B970 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SharedPC DDF file diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index 53b364243d..e383685013 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -1,15 +1,12 @@ --- title: Storage CSP description: Storage CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: b19bdb54-53ed-42ce-a5a1-269379013f57 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Storage CSP diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index 087e36a61f..2cf0a17551 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -1,15 +1,12 @@ --- title: Storage DDF file description: Storage DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Storage DDF file diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index c8e61157a6..031e69f53b 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -1,15 +1,12 @@ --- title: Structure of OMA DM provisioning files description: Structure of OMA DM provisioning files -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 7bd3ef57-c76c-459b-b63f-c5a333ddc2bc -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Structure of OMA DM provisioning files diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 25acb22d8e..150ca95701 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -1,15 +1,12 @@ --- title: SUPL CSP description: SUPL CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: afad0120-1126-4fc5-8e7a-64b9f2a5eae1 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SUPL CSP diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index eedb7f2b31..266c2dcaf6 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -1,15 +1,12 @@ --- title: SUPL DDF file description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 514B7854-80DC-4ED9-9805-F5276BF38034 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SUPL DDF file diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index aa210d64d8..f751e53b34 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -1,15 +1,12 @@ --- title: SurfaceHub CSP description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 36FBBC32-AD6A-41F1-86BF-B384891AA693 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SurfaceHub CSP diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index d47a546466..590539f3bb 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -1,15 +1,12 @@ --- title: SurfaceHub DDF file description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: D34DA1C2-09A2-4BA3-BE99-AC483C278436 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # SurfaceHub DDF file diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 6844ac7526..a308149484 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -1,11 +1,11 @@ --- title: Understanding ADMX-backed policies description: Starting in Windows 10, version 1703, you can use ADMX-backed policies for Windows 10 mobile device management (MDM) across Windows 10 devices. -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Understanding ADMX-backed policies diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index a63264b46d..8ef347d5c5 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -1,15 +1,12 @@ --- title: UnifiedWriteFilter CSP description: The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: F4716AC6-0AA5-4A67-AECE-E0F200BA95EB -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # UnifiedWriteFilter CSP diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index 5e72b27c72..ae3e8f02e5 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -1,15 +1,12 @@ --- title: UnifiedWriteFilter DDF File description: UnifiedWriteFilter DDF File -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 23A7316E-A298-43F7-9407-A65155C8CEA6 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # UnifiedWriteFilter DDF File diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 0d4d052ca3..61923798e2 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -1,15 +1,12 @@ --- title: Update CSP description: Update CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: F1627B57-0749-47F6-A066-677FDD3D7359 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Update CSP diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index 564b1a164c..a7617b44d2 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -1,15 +1,12 @@ --- title: Update DDF file description: Update DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: E236E468-88F3-402A-BA7A-834ED38DD388 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Update DDF file diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index 779ba4eec8..8eda2844e1 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,15 +1,12 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the WMI Bridge Provider. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 238D45AD-3FD8-46F9-B7FB-6AEE42BE4C08 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Using PowerShell scripting with the WMI Bridge Provider diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index d087514fd2..7310156f21 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -1,15 +1,12 @@ --- title: VPN CSP description: VPN CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 05ca946a-1c0b-4e11-8d7e-854e14740707 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # VPN CSP diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index f742ca010e..d5e1303442 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -1,15 +1,12 @@ --- title: VPN DDF file description: VPN DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 728FCD9C-0B8E-413B-B54A-CD72C9F2B9EE -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # VPN DDF file diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 5aaa8632b7..5b48d34a09 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -1,15 +1,12 @@ --- title: VPNv2 CSP description: VPNv2 CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # VPNv2 CSP diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index 88ce8c7589..b91f59555f 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1,15 +1,12 @@ --- title: VPNv2 DDF file description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 4E2F36B7-D2EE-4F48-AD1A-6BDE7E72CC94 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # VPNv2 DDF file diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 96e6d32e57..8099da7143 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -1,15 +1,12 @@ --- title: ProfileXML XSD description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 2F32E14B-F9B9-4760-AE94-E57F1D4DFDB3 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # ProfileXML XSD diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 82856c77c2..1559b6350d 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -1,15 +1,12 @@ --- title: w4 APPLICATION CSP description: w4 APPLICATION CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: ef42b82a-1f04-49e4-8a48-bd4e439fc43a -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # w4 APPLICATION CSP diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 71bb224ad9..cc931c7f9a 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -1,15 +1,12 @@ --- title: w7 APPLICATION CSP description: w7 APPLICATION CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 10f8aa16-5c89-455d-adcd-d7fb45d4e768 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # w7 APPLICATION CSP diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index a93b8c9e3f..d1ed9593eb 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,15 +1,12 @@ --- title: WiFi CSP description: WiFi CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WiFi CSP diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index c8ca454737..4443fab25f 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -1,15 +1,12 @@ --- title: WiFi DDF file description: WiFi DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 00DE1DA7-23DE-4871-B3F0-28EB29A62D61 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WiFi DDF file diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 4fdd9516e1..17d48bf9fe 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -1,11 +1,11 @@ --- title: Win32 and Desktop Bridge app policy configuration description: Starting in Windows 10, version 1703, you can import ADMX files and set those ADMX-backed policies for Win32 and Desktop Bridge apps. -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Win32 and Desktop Bridge app policy configuration diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index 67ef056dbe..935df946c0 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -1,15 +1,12 @@ --- title: Win32AppInventory CSP description: Win32AppInventory CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: C0DEDD51-4EAD-4F8E-AEE2-CBE9658BCA22 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Win32AppInventory CSP diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index 893b52b222..97eafeb66c 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -1,15 +1,12 @@ --- title: Win32AppInventory DDF file description: Win32AppInventory DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Win32AppInventory DDF file diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index f50b20ad5e..51943be64f 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -4,15 +4,12 @@ description: The actual management interaction between the device and server is MS-HAID: - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 92711D65-3022-4789-924B-602BE3187E23 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # Enterprise settings, policies, and app management diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index ba5104057e..bced249094 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -1,15 +1,12 @@ --- title: WindowsAdvancedThreatProtection CSP description: WindowsAdvancedThreatProtection CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 6C3054CA-9890-4C08-9DB6-FBEEB74699A8 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WindowsAdvancedThreatProtection CSP diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 06cf87d740..135648a616 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -1,15 +1,12 @@ --- title: WindowsAdvancedThreatProtection DDF file description: WindowsAdvancedThreatProtection DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WindowsAdvancedThreatProtection DDF file diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index edff8cdb64..bdc1b02533 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -1,15 +1,12 @@ --- title: WindowsLicensing CSP description: WindowsLicensing CSP -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WindowsLicensing CSP diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 68cec1698d..5ac78fc98d 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -1,15 +1,12 @@ --- title: WindowsLicensing DDF file description: WindowsLicensing DDF file -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 2A24C922-A167-4CEE-8F74-08E7453800D2 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WindowsLicensing DDF file diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index 231a3c0329..686a058d93 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -1,15 +1,12 @@ --- title: WindowsSecurityAuditing CSP description: The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 611DF7FF-21CE-476C-AAB5-3D09C1CDF08A -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WindowsSecurityAuditing CSP diff --git a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md index ec06383f5d..cd9ef72d61 100644 --- a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md +++ b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md @@ -1,15 +1,12 @@ --- title: WindowsSecurityAuditing DDF file description: This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511. -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: B1F9A5FA-185B-48C6-A7F4-0F0F23B971F0 -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WindowsSecurityAuditing DDF file diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 45bb1e69fe..ade8ecd858 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -4,15 +4,12 @@ description: WMI providers supported in Windows 10 MS-HAID: - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' -MSHAttr: -- 'PreferredSiteName:MSDN' -- 'PreferredLib:/library/windows/hardware' ms.assetid: 7D533044-AAD7-4B8F-B71B-9D52C15A168A -ms.author: windows-hardware-design-content -ms.date: 05/02/2017 +ms.author: maricia ms.topic: article -ms.prod: windows-hardware -ms.technology: windows-oem +ms.prod: w10 +ms.technology: windows +author: nickbrower --- # WMI providers supported in Windows 10 diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 07ca5a5dc2..9e4397cd87 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index 33a512ae37..4c7a24ae08 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -15,7 +15,7 @@ author: jdeckerms Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. -When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. +When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm). The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md). diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 1f432594f7..5fc6d0a993 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -64,7 +64,7 @@ There are three categories of apps that might be pinned to a taskbar: * Apps pinned by the enterprise, such as in an unattended Windows setup >[!NOTE] - >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file. The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). @@ -97,7 +97,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a * If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. * New apps specified in updated layout file are pinned to right of user's pinned apps. -[Learn how to onfigure Windows 10 taskbar](configure-windows-10-taskbar.md). +[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). ## Related topics diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 652028bf85..3c58607382 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/deployment/index.md b/windows/deployment/index.md index b24224172e..95945c8749 100644 --- a/windows/deployment/index.md +++ b/windows/deployment/index.md @@ -9,15 +9,6 @@ localizationpriority: high author: greg-lindsay --- - - - - - - -
    Icon showing a security alert A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).
    -     - # Deploy, Upgrade and Update Windows 10 Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous version and updating Windows 10. diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index b01537fa06..87134c472f 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -73,16 +73,23 @@ MBR2GPT: Validation completed successfully In the following example: -1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. 2. The MBR2GPT tool is used to convert disk 0. -3. The DISKPART tool displays that disk 0 is now using the GPT format. +3. The DiskPart tool displays that disk 0 is now using the GPT format. 4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). 5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. >As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. ``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info @@ -140,7 +147,7 @@ MBR2GPT: Fixing drive letter mapping MBR2GPT: Conversion completed successfully MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! -X:\>diskpart +X:\>DiskPart Microsoft DiskPart version 10.0.15048.0 @@ -364,9 +371,16 @@ You can also view the partition type of a disk by opening the Disk Management to ![Volumes](images/mbr2gpt-volume.PNG) -If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example: +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: ``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + DISKPART> list disk Disk ### Status Size Free Dyn Gpt diff --git a/windows/deployment/update/images/update-compliance-wdav-assessment.png b/windows/deployment/update/images/update-compliance-wdav-assessment.png new file mode 100644 index 0000000000..266c5b7210 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-assessment.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-overview.png b/windows/deployment/update/images/update-compliance-wdav-overview.png new file mode 100644 index 0000000000..977478fb74 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-overview.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-prot-status.png b/windows/deployment/update/images/update-compliance-wdav-prot-status.png new file mode 100644 index 0000000000..2c6c355ca4 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-prot-status.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png new file mode 100644 index 0000000000..733bfb6ae7 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png new file mode 100644 index 0000000000..d914960a7a Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png new file mode 100644 index 0000000000..7d8021b02e Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-filter.png new file mode 100644 index 0000000000..cd500c2cb3 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-log.png b/windows/deployment/update/images/update-compliance-wdav-status-log.png new file mode 100644 index 0000000000..30e2e2352f Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-log.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-query.png b/windows/deployment/update/images/update-compliance-wdav-status-query.png new file mode 100644 index 0000000000..c7d1a436fe Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-query.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-threat-status.png b/windows/deployment/update/images/update-compliance-wdav-threat-status.png new file mode 100644 index 0000000000..ada9c09bbf Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-threat-status.png differ diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 8a67edbacb..bc18ab0d95 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -7,14 +7,6 @@ ms.sitesec: library author: DaniHalfin localizationpriority: high --- - - - - - - -
    Icon showing a security alert A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).
    -     # Update Windows 10 in the enterprise diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index f6c1878943..2b42051399 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -10,7 +10,7 @@ author: greg-lindsay # Get started with Update Compliance -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: 1. Ensure that [prerequisites](#update-compliance-prerequisites) are met. @@ -19,22 +19,25 @@ Steps are provided in sections that follow the recommended setup process: ## Update Compliance Prerequisites -Update Compliance has the following requirements: -1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). -2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). +Update Compliance has the following requirements: +1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). +2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: - -
    ServiceEndpoint -
    Connected User Experience and Telemetry componentv10.vortex-win.data.microsoft.com -
    settings-win.data.microsoft.com -
    Windows Error Reporting watson.telemetry.microsoft.com -
    Online Crash Analysis oca.telemetry.microsoft.com -
    + +
    ServiceEndpoint +
    Connected User Experience and Telemetry componentv10.vortex-win.data.microsoft.com +
    settings-win.data.microsoft.com +
    Windows Error Reporting watson.telemetry.microsoft.com +
    Online Crash Analysis oca.telemetry.microsoft.com +
    + +4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV. + ## Add Update Compliance to Microsoft Operations Management Suite -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. @@ -52,7 +55,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update -3. Create a new OMS workspace. +3. Create a new OMS workspace.

    @@ -76,7 +79,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update -7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace. +7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.

    @@ -100,7 +103,7 @@ After you are subscribed to OMS Update Compliance and your devices have a Commer ## Deploy your Commercial ID to your Windows 10 devices -In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). +In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). - Using Group Policy

    Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor. @@ -114,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th ## Related topics -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 39d8b0e012..08daf13df1 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -31,7 +31,8 @@ Update Compliance has the following primary blades: 3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status) 4. [Overall Feature Update Status](#overall-feature-update-status) 5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status) -6. [List of Queries](#list-of-queries) +6. [Windows Defender Antivirus Assessment](#wdav-assessment) +7. [List of Queries](#list-of-queries) ## OS Update Overview @@ -41,6 +42,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b ![OS Update Overview](images/uc-11.png) + This blade is divided into three sections: - Device Summary: - Needs Attention Summary @@ -139,6 +141,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.  + +## Windows Defender Antivirus Assessment + +You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot. + +![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png) + +The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues. + +If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions. + +There are two blades in the Windows Defender AV Assessment section: + +- Protection status +- Threats status + +![Windows Defender Antivirus Assessment blade in Update Compliance](images/update-compliance-wdav-assessment.png) + +The **Protection Status** blade shows three key measurements: + +1. How many devices have old or current signatures (also known as protection updates or definitions) +2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection + + +![Windows Defender Antivirus protection status in Update Compliance](images/update-compliance-wdav-prot-status.png) + +See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates. + +The **Threats Status** blade shows the following measurements: + +1. How many devices that have threats that have been remediated (removed or quarantined on the device) +2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required) + + +![Windows Defender Antivirus threat status in Update Compliance](images/update-compliance-wdav-threat-status.png) + +Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated. + +> [!IMPORTANT] +> The data reported in Update Compliance can be delayed by up to 24 hours. + +See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks. + +As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below. + + +### Investigate individual devices and threats + + +Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status. + +![Sample Windows Defender AV query in Update Compliance](images/update-compliance-wdav-status-log.png) + +You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV. + +![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-query-not-assessed.png) + + + + + + + + +You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**. + +![Click the Apply button on the left pane](images/update-compliance-wdav-status-filter-apply.png) + + + +Click **+Add** at the bottom of the filter pane to open a list of filters you can apply. + +![Click Add to add more filters](images/update-compliance-wdav-status-add-filter.png) + + +You can also click the **. . .** button next to each label to instantly filter by that label or value. + +![Click the elipsis icon to instantly filter by the selected label](images/update-compliance-wdav-status-filter.png) + +You can create your own queries by using a query string in the following format: + +``` +Type: