Date: Mon, 20 Sep 2021 14:22:46 +0530
Subject: [PATCH 03/32] Added Windows 11 to the table as per the comment in the
description
---
.../configure-md-app-guard.md | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index a8c72499c0..1bfbbc69ae 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -53,13 +53,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
-|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higherWindows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.
**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
+|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher
Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.
**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.
**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher
Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
From e0fc4abc99e7c8959f8ee3ed6ac4633fc9c01728 Mon Sep 17 00:00:00 2001
From: Asha Iyengar
Date: Mon, 20 Sep 2021 14:24:01 +0530
Subject: [PATCH 04/32] updated
---
.../configure-md-app-guard.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 1bfbbc69ae..593010cfed 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -62,4 +62,4 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higherWindows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
+|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
From 030b57d0a4fc7af404973668d0ee84d13280ebd3 Mon Sep 17 00:00:00 2001
From: Asha Iyengar
Date: Mon, 20 Sep 2021 14:28:59 +0530
Subject: [PATCH 05/32] Added Windows 11 whereever applicable. These were
missed out
---
.../install-md-app-guard.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 6c2db12e7d..f4f8a176f7 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -36,6 +36,7 @@ Before you can install and use Microsoft Defender Application Guard, you must de
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Pro edition, version 1803
+- Windows 11
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
@@ -43,6 +44,7 @@ Employees can use hardware-isolated browsing sessions without any administrator
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
+- Windows 11
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
@@ -68,7 +70,7 @@ Application Guard functionality is turned off by default. However, you can quick
>[!NOTE]
>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
-1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
+1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
@@ -122,4 +124,4 @@ Application Guard functionality is turned off by default. However, you can quick
1. Click **Save**.
-After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
\ No newline at end of file
+After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
From 5f9f95715d66acba5f6457d3063d1231e4acbbae Mon Sep 17 00:00:00 2001
From: Asha Iyengar
Date: Mon, 20 Sep 2021 15:00:13 +0530
Subject: [PATCH 06/32] Updated
---
.../md-app-guard-overview.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 010f230e70..640f7eae00 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,5 +1,5 @@
---
-title: Microsoft Defender Application Guard (Windows 10)
+title: Microsoft Defender Application Guard (Windows 10 or Windows 11)
description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -56,4 +56,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
-|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
\ No newline at end of file
+|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
From 54672073b30c07dd4456d012bfb8f9181561bf1e Mon Sep 17 00:00:00 2001
From: Ashok Lobo
Date: Mon, 20 Sep 2021 17:55:46 +0530
Subject: [PATCH 07/32] Updated for 5358858
---
.../configure-md-app-guard.md | 4 ++--
.../install-md-app-guard.md | 2 +-
.../md-app-guard-browser-extension.md | 3 ++-
.../test-scenarios-md-app-guard.md | 11 +++++++----
4 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 593010cfed..d3480738e7 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10)
+title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows)
description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/16/2021
+ms.date: 09/20/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index f4f8a176f7..c16ce0700e 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: Enable hardware-based isolation for Microsoft Edge (Windows 10)
+title: Enable hardware-based isolation for Microsoft Edge (Windows)
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: m365-security
ms.mktglfcycl: manage
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index a3a578cd53..90f1d07fca 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -24,7 +24,7 @@ ms.technology: mde
[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
-[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
+[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
> [!TIP]
> Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
@@ -38,6 +38,7 @@ Microsoft Defender Application Guard Extension works with the following editions
- Windows 10 Professional
- Windows 10 Enterprise
- Windows 10 Education
+- Windows 11
Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 3e07e70fdc..292813b7c0 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: Testing scenarios with Microsoft Defender Application Guard (Windows 10)
+title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -51,7 +51,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
### Install, set up, and turn on Application Guard
-Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
+Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](./install-md-app-guard.md#install-application-guard).
@@ -112,6 +112,7 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
+- Windows 11
#### Copy and paste options
@@ -170,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
- > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
+ > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
>
@@ -180,6 +181,7 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
+- Windows 11
#### Download options
@@ -211,12 +213,13 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
+- Windows 11
#### File trust options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting.
-2. Click **Enabled**, set **Options** to 2, and click **OK**.
+2. Click **Enabled**, set **Options** to **2**, and click **OK**.
From bb51aac13cd4e08c040fae8d6ca3226138b21b59 Mon Sep 17 00:00:00 2001
From: Ashok Lobo
Date: Fri, 24 Sep 2021 20:11:23 +0530
Subject: [PATCH 08/32] Updated for task 5441097
---
.../smart-card-and-remote-desktop-services.md | 6 ++---
.../smart-cards/smart-card-architecture.md | 6 ++---
...rt-card-certificate-propagation-service.md | 6 ++---
...ertificate-requirements-and-enumeration.md | 8 +++----
.../smart-card-debugging-information.md | 6 ++---
.../smart-cards/smart-card-events.md | 6 ++---
...card-group-policy-and-registry-settings.md | 6 ++---
...how-smart-card-sign-in-works-in-windows.md | 6 ++---
.../smart-card-removal-policy-service.md | 8 +++----
...rt-card-smart-cards-for-windows-service.md | 6 ++---
.../smart-card-tools-and-settings.md | 6 ++---
...-windows-smart-card-technical-reference.md | 6 ++---
.../how-user-account-control-works.md | 24 ++++++++++---------
...-group-policy-and-registry-key-settings.md | 5 ++--
.../user-account-control-overview.md | 7 +++---
...ccount-control-security-policy-settings.md | 7 ++++--
16 files changed, 63 insertions(+), 56 deletions(-)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index d5c9651f0f..70b89b04ee 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,5 +1,5 @@
---
-title: Smart Card and Remote Desktop Services (Windows 10)
+title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card and Remote Desktop Services
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 63cbad9b26..604f470a49 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Architecture (Windows 10)
+title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Architecture
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index dbcf86ee67..32f79fdf8f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,5 +1,5 @@
---
-title: Certificate Propagation Service (Windows 10)
+title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 08/24/2021
ms.reviewer:
---
# Certificate Propagation Service
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index a220e7e658..7e32d7679f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,5 +1,5 @@
---
-title: Certificate Requirements and Enumeration (Windows 10)
+title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Certificate Requirements and Enumeration
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
@@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system.
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** |
+| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL= |
| Key usage | Digital signature | Digital signature |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index a084d3c132..b65f0ce66c 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Troubleshooting (Windows 10)
+title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Troubleshooting
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index bb93b39cce..b8f7de6f81 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Events (Windows 10)
+title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Events
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 50d2b45bb2..ad5011e9b9 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Group Policy and Registry Settings (Windows 10)
+title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/23/2021
ms.reviewer:
---
# Smart Card Group Policy and Registry Settings
-Applies to: Windows 10, Windows Server 2016
+Applies to: Windows 10, Windows 11, Windows Server 2016 and above
This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 9939c9ec73..8dc9a36c37 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -1,5 +1,5 @@
---
-title: How Smart Card Sign-in Works in Windows (Windows 10)
+title: How Smart Card Sign-in Works in Windows (Windows)
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# How Smart Card Sign-in Works in Windows
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 3f72307e25..c52deb3971 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Removal Policy Service (Windows 10)
+title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,17 +12,17 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Removal Policy Service
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016
This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
-The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
**Smart card removal policy service**
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index e4548fc317..b55d171543 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,5 +1,5 @@
---
-title: Smart Cards for Windows Service (Windows 10)
+title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Cards for Windows Service
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 74fdcc3e8f..1151e206de 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Tools and Settings (Windows 10)
+title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Tools and Settings
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 99defcec30..dfd605776c 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,5 +1,5 @@
---
-title: Smart Card Technical Reference (Windows 10)
+title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Technical Reference
-Applies To: Windows 10, Windows Server 2016
+Applies To: Windows 10, Windows 11, Windows Server 2016 and above
The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 76159c664d..abdfb49e90 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -1,5 +1,5 @@
---
-title: How User Account Control works (Windows 10)
+title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
ms.reviewer:
@@ -14,19 +14,21 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 11/16/2018
+ms.date: 09/23/2021
---
# How User Account Control works
**Applies to**
- Windows 10
+- Windows 11
+- Windows Server 2016 and above
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
## UAC process and interactions
-Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
+Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 and Windows 11 protect processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
In order to better understand how this process happens, let's look at the Windows logon process.
@@ -40,17 +42,17 @@ By default, standard users and administrators access resources and run apps in t
When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
-A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
+A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
### The UAC User Experience
-When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
+When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
**The consent and credential prompts**
-With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
+With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
**The consent prompt**
@@ -68,12 +70,12 @@ The following is an example of the UAC credential prompt.
**UAC elevation prompts**
-The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user.
+The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 or Windows 11 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
The elevation prompt color-coding is as follows:
- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
-- Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item.
+- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
@@ -87,7 +89,7 @@ The shield icon on the **Change date and time** button indicates that the proces
**Securing the elevation prompt**
-The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
+The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
@@ -281,7 +283,7 @@ The slider will never turn UAC completely off. If you set it to Never notify<
Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
-Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
+Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
@@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl
### Installer detection technology
-Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
+Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installer detection only applies to:
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 6f65b3199e..a4ae0b4d3d 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -1,5 +1,5 @@
---
-title: User Account Control Group Policy and registry key settings (Windows 10)
+title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -21,7 +21,8 @@ ms.reviewer:
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
## Group Policy settings
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index a95145abaa..263dd2fe27 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -1,5 +1,5 @@
---
-title: User Account Control (Windows 10)
+title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
ms.reviewer:
@@ -14,14 +14,15 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
-ms.date: 07/27/2017
+ms.date: 09/24/2011
---
# User Account Control
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index 793fe303aa..9a6cb42323 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: User Account Control security policy settings (Windows 10)
+title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
ms.reviewer:
@@ -14,13 +14,16 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/24/2021
---
# User Account Control security policy settings
**Applies to**
- Windows 10
+- Windows 11
+- Windows Server 2016 and above
+
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.
From fe6ef4f3615841747044830c668e20e1a990c404 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Sun, 26 Sep 2021 19:57:05 +0530
Subject: [PATCH 09/32] Updated
---
.../mdm/policy-csp-admx-disknvcache.md | 1672 +++++++++++++++++
1 file changed, 1672 insertions(+)
create mode 100644 windows/client-management/mdm/policy-csp-admx-disknvcache.md
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
new file mode 100644
index 0000000000..21b8d23df4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -0,0 +1,1672 @@
+---
+title: Policy CSP - ADMX_DiskNVCache
+description: Policy CSP - ADMX_DiskNVCache
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DiskNVCache
+
+
+
+
+
+## ADMX_DiskNVCache policies
+
+
+ -
+ ADMX_DiskNVCache/BootResumePolicy
+
+ -
+ ADMX_DiskNVCache/CachePowerModePolicy
+
+ -
+ ADMX_DiskNVCache/FeatureOffPolicy
+
+ -
+ ADMX_DiskNVCache/SolidStatePolicy
+
+
+
+
+
+
+
+**ADMX_DiskNVCache/BootResumePolicy**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.
+
+If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.
+
+If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume.
+The system determines the data that will be stored in the NV cache to optimize boot and resume.
+
+The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
+
+This policy setting is applicable only if the NV cache feature is on.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Turn off boot and resume optimizations*
+- GP name: *DNS_AllowFQDNNetBiosQueries*
+- GP path: *System\Disk NV Cache*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_AppendToMultiLabelName**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+  |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+  |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+
+A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.
+
+For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.
+
+If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails.
+
+If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails.
+
+If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
+
+If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Allow DNS suffix appending to unqualified multi-label name queries*
+- GP name: *DNS_AppendToMultiLabelName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_Domain**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
+
+If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Connection-specific DNS suffix*
+- GP name: *DNS_Domain*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_DomainNameDevolutionLevel**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+- The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
+
+If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.
+
+If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Primary DNS suffix devolution level*
+- GP name: *DNS_DomainNameDevolutionLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnEncoding**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+If this policy setting is enabled, IDNs are not converted to Punycode.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Turn off IDN encoding*
+- GP name: *DNS_IdnEncoding*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_IdnMapping**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
+
+If this policy setting is enabled, IDNs are converted to the Nameprep form.
+
+If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *IDN mapping*
+- GP name: *DNS_IdnMapping*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_NameServer**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+
+To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
+
+If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *DNS servers*
+- GP name: *DNS_NameServer*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
+
+If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Prefer link local responses over DNS when received over a network with higher precedence*
+- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_PrimaryDnsSuffix**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+
+To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
+
+> [!IMPORTANT]
+> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
+
+If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
+
+You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
+
+If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Primary DNS suffix*
+- GP name: *DNS_PrimaryDnsSuffix*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterAdapterName**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+
+If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
+
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+
+Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
+
+If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Register DNS records with connection-specific DNS suffix*
+- GP name: *DNS_RegisterAdapterName*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegisterReverseLookup**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records.
+
+By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
+
+If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records.
+
+To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
+
+- Do not register: Computers will not attempt to register PTR resource records
+- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful.
+- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Register PTR records*
+- GP name: *DNS_RegisterReverseLookup*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationEnabled**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+
+If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
+
+If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Dynamic update*
+- GP name: *DNS_RegistrationEnabled*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
+
+This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
+
+During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
+
+If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
+
+If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Replace addresses in conflicts*
+- GP name: *DNS_RegistrationOverwritesInConflict*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationRefreshInterval**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+
+Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
+
+> [!WARNING]
+> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
+
+To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
+
+If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Registration refresh interval*
+- GP name: *DNS_RegistrationRefreshInterval*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_RegistrationTtl**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+
+To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
+
+If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *TTL value for A and PTR records*
+- GP name: *DNS_RegistrationTtl*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SearchList**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
+
+An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
+
+Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."
+
+To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
+
+If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.
+
+If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *DNS suffix search list*
+- GP name: *DNS_SearchList*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
+
+If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
+
+If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Turn off smart multi-homed name resolution*
+- GP name: *DNS_SmartMultiHomedNameResolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_SmartProtocolReorder**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+
+If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
+
+If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
+
+> [!NOTE]
+> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Turn off smart protocol reordering*
+- GP name: *DNS_SmartProtocolReorder*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateSecurityLevel**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates.
+
+To use this policy setting, click Enabled and then select one of the following values:
+
+- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
+- Only unsecure - computers send only nonsecure dynamic updates.
+- Only secure - computers send only secure dynamic updates.
+
+If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Update security level*
+- GP name: *DNS_UpdateSecurityLevel*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
+
+By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
+
+If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.
+
+If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Update top level domain zones*
+- GP name: *DNS_UpdateTopLevelDomainZones*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/DNS_UseDomainNameDevolution**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
+
+With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
+
+The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
+
+Devolution is not enabled if a global suffix search list is configured using Group Policy.
+
+If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
+
+The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
+
+Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
+
+For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
+
+If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
+
+For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
+
+If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Primary DNS suffix devolution*
+- GP name: *DNS_UseDomainNameDevolution*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+
+
+
+**ADMX_DnsClient/Turn_Off_Multicast**
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+ |
+
+
+ | Pro |
+ |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+
+LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
+
+If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
+
+If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP Friendly name: *Turn off multicast name resolution*
+- GP name: *Turn_Off_Multicast*
+- GP path: *Network/DNS Client*
+- GP ADMX file name: *DnsClient.admx*
+
+
+
+
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
+
+
From 9102fc263de63400df2fd579f2345f857c2d28e2 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Sun, 26 Sep 2021 19:58:46 +0530
Subject: [PATCH 10/32] Update policy-csp-admx-disknvcache.md
---
windows/client-management/mdm/policy-csp-admx-disknvcache.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
index 21b8d23df4..fdbd184e60 100644
--- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -101,8 +101,7 @@ This policy setting is applicable only if the NV cache feature is on.
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
From d1ba094dfd847bfcfbd1442e6f5f881cea17754a Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Sun, 26 Sep 2021 22:17:43 +0530
Subject: [PATCH 11/32] Updated
---
.../mdm/policies-in-policy-csp-admx-backed.md | 4 +
.../policy-configuration-service-provider.md | 17 +
.../mdm/policy-csp-admx-disknvcache.md | 1518 +----------------
windows/client-management/mdm/toc.yml | 2 +
4 files changed, 79 insertions(+), 1462 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index 0897f1666a..6b60ddd4ba 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -167,6 +167,10 @@ ms.date: 10/08/2020
- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
+- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_bootresumepolicy)
+- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_cachepowermodepolicy)
+- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_featureoffpolicy)
+- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_solidstatepolicy)
- [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode)
- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index a4847a452f..7bbf5190cd 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -747,6 +747,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_DiskNVCache policies
+
+
+ -
+ ADMX_DiskNVCache/BootResumePolicy
+
+ -
+ ADMX_DiskNVCache/CachePowerModePolicy
+
+ -
+ ADMX_DiskNVCache/FeatureOffPolicy
+
+ -
+ ADMX_DiskNVCache/SolidStatePolicy
+
+
+
### ADMX_DistributedLinkTracking policies
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
index fdbd184e60..7a22bcb596 100644
--- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -20,6 +20,13 @@ manager: dansimp
## ADMX_DiskNVCache policies
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
-
ADMX_DiskNVCache/BootResumePolicy
@@ -98,52 +105,52 @@ The required data is stored in the NV cache during shutdown and hibernate, respe
This policy setting is applicable only if the NV cache feature is on.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
- GP Friendly name: *Turn off boot and resume optimizations*
-- GP name: *DNS_AllowFQDNNetBiosQueries*
+- GP name: *BootResumePolicy*
- GP path: *System\Disk NV Cache*
-- GP ADMX file name: *DnsClient.admx*
+- GP ADMX file name: *DiskNVCache.admx*
-**ADMX_DnsClient/DNS_AppendToMultiLabelName**
+**ADMX_DiskNVCache/FeatureOffPolicy**
- | Windows Edition |
- Supported? |
+ Edition |
+ Windows 10 |
+ Windows 11 |
| Home |
- |
+ No |
+ No |
| Pro |
- |
+ No |
+ No |
| Business |
- |
+ No |
+ No |
| Enterprise |
- |
+ Yes |
+ Yes |
| Education |
- |
+ Yes |
+ Yes |
@@ -160,34 +167,23 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system.
+To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache.
-A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.
+ If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.
-For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.
+If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured.
-If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails.
-
-If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails.
-
-If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
-
-If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
+This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
-- GP Friendly name: *Allow DNS suffix appending to unqualified multi-label name queries*
-- GP name: *DNS_AppendToMultiLabelName*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
+- GP Friendly name: *Turn off non-volatile cache feature*
+- GP name: *FeatureOffPolicy*
+- GP path: *System\Disk NV Cache*
+- GP ADMX file name: *DiskNVCache.admx*
@@ -195,32 +191,38 @@ ADMX Info:
-**ADMX_DnsClient/DNS_Domain**
+**ADMX_DiskNVCache/SolidStatePolicy**
- | Windows Edition |
- Supported? |
+ Edition |
+ Windows 10 |
+ Windows 11 |
| Home |
- |
+ No |
+ No |
| Pro |
- |
+ No |
+ No |
| Business |
- |
+ No |
+ No |
| Enterprise |
- |
+ Yes |
+ Yes |
| Education |
- |
+ Yes |
+ Yes |
@@ -237,1435 +239,27 @@ ADMX Info:
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
+This policy setting turns off the solid state mode for the hybrid hard disks.
-If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
+If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache.
+
+If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
+
+This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
-If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
ADMX Info:
-- GP Friendly name: *Connection-specific DNS suffix*
-- GP name: *DNS_Domain*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_DomainNameDevolutionLevel**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
-
-With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
-
-The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
-
-Devolution is not enabled if a global suffix search list is configured using Group Policy.
-
-If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
-
-- The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
-- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
-
-For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
-
-If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
-
-For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
-
-If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.
-
-If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Primary DNS suffix devolution level*
-- GP name: *DNS_DomainNameDevolutionLevel*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_IdnEncoding**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
-
-If this policy setting is enabled, IDNs are not converted to Punycode.
-
-If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Turn off IDN encoding*
-- GP name: *DNS_IdnEncoding*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_IdnMapping**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
-
-If this policy setting is enabled, IDNs are converted to the Nameprep form.
-
-If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *IDN mapping*
-- GP name: *DNS_IdnMapping*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_NameServer**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
-
-To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
-
-If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
-
-If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *DNS servers*
-- GP name: *DNS_NameServer*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
-
-If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
-
-If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
-
-> [!NOTE]
-> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Prefer link local responses over DNS when received over a network with higher precedence*
-- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
+- GP Friendly name: *Turn off solid state mode*
+- GP name: *SolidStatePolicy*
+- GP path: *System\Disk NV Cache*
+- GP ADMX file name: *DiskNVCache.admx*
-
-
-
-**ADMX_DnsClient/DNS_PrimaryDnsSuffix**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
-
-To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
-
-> [!IMPORTANT]
-> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows.
-
-If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.
-
-You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
-
-If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Primary DNS suffix*
-- GP name: *DNS_PrimaryDnsSuffix*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_RegisterAdapterName**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
-
-By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
-
-If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
-
-For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
-
-Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
-
-If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Register DNS records with connection-specific DNS suffix*
-- GP name: *DNS_RegisterAdapterName*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_RegisterReverseLookup**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records.
-
-By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
-
-If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records.
-
-To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
-
-- Do not register: Computers will not attempt to register PTR resource records
-- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful.
-- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
-
-If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Register PTR records*
-- GP name: *DNS_RegisterReverseLookup*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_RegistrationEnabled**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
-
-If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
-
-If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Dynamic update*
-- GP name: *DNS_RegistrationEnabled*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
-
-This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
-
-During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
-
-If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
-
-If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Replace addresses in conflicts*
-- GP name: *DNS_RegistrationOverwritesInConflict*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_RegistrationRefreshInterval**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
-
-Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
-
-> [!WARNING]
-> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
-
-To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.
-
-If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
-
-If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Registration refresh interval*
-- GP name: *DNS_RegistrationRefreshInterval*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_RegistrationTtl**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
-
-To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
-
-If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
-
-If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *TTL value for A and PTR records*
-- GP name: *DNS_RegistrationTtl*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_SearchList**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
-
-An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
-
-Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."
-
-To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.
-
-If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.
-
-If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *DNS suffix search list*
-- GP name: *DNS_SearchList*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution**
-
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
-
-If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
-
-If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Turn off smart multi-homed name resolution*
-- GP name: *DNS_SmartMultiHomedNameResolution*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_SmartProtocolReorder**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
-
-If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
-
-If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
-
-> [!NOTE]
-> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Turn off smart protocol reordering*
-- GP name: *DNS_SmartProtocolReorder*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_UpdateSecurityLevel**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates.
-
-To use this policy setting, click Enabled and then select one of the following values:
-
-- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused.
-- Only unsecure - computers send only nonsecure dynamic updates.
-- Only secure - computers send only secure dynamic updates.
-
-If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
-
-If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Update security level*
-- GP name: *DNS_UpdateSecurityLevel*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
-
-By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
-
-If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.
-
-If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Update top level domain zones*
-- GP name: *DNS_UpdateTopLevelDomainZones*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/DNS_UseDomainNameDevolution**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
-
-With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
-
-The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
-
-Devolution is not enabled if a global suffix search list is configured using Group Policy.
-
-If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
-
-The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
-
-Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
-
-For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
-
-If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
-
-For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
-
-If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
-
-If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Primary DNS suffix devolution*
-- GP name: *DNS_UseDomainNameDevolution*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-
-
-
-**ADMX_DnsClient/Turn_Off_Multicast**
-
-
-
- | Windows Edition |
- Supported? |
-
-
- | Home |
- |
-
-
- | Pro |
- |
-
-
- | Business |
- |
-
-
- | Enterprise |
- |
-
-
- | Education |
- |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
-
-LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
-
-If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
-
-If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-ADMX Info:
-- GP Friendly name: *Turn off multicast name resolution*
-- GP name: *Turn_Off_Multicast*
-- GP path: *Network/DNS Client*
-- GP ADMX file name: *DnsClient.admx*
-
-
-
-
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 22e27a3a21..fc3d64ad92 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -455,6 +455,8 @@ items:
href: policy-csp-admx-dfs.md
- name: ADMX_DigitalLocker
href: policy-csp-admx-digitallocker.md
+ - name: ADMX_DiskNVCache
+ href: policy-csp-admx-disknvcache.md
- name: ADMX_DistributedLinkTracking
href: policy-csp-admx-distributedlinktracking.md
- name: ADMX_DnsClient
From 2752f0c875e8cc35edbfdf8c56ca742da721737a Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 00:38:37 +0530
Subject: [PATCH 12/32] Updated
---
.../mdm/policies-in-policy-csp-admx-backed.md | 9 +
.../policy-configuration-service-provider.md | 43 ++
.../mdm/policy-csp-admx-diskquota.md | 500 ++++++++++++++++++
.../mdm/policy-csp-admx-iscsi.md | 249 +++++++++
windows/client-management/mdm/toc.yml | 8 +-
5 files changed, 807 insertions(+), 2 deletions(-)
create mode 100644 windows/client-management/mdm/policy-csp-admx-diskquota.md
create mode 100644 windows/client-management/mdm/policy-csp-admx-iscsi.md
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index 6b60ddd4ba..c2fd311c26 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -171,6 +171,12 @@ ms.date: 10/08/2020
- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_cachepowermodepolicy)
- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_featureoffpolicy)
- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_solidstatepolicy)
+- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia)
+- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable)
+- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce)
+- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit)
+- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold)
+- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit)
- [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode)
- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
@@ -408,6 +414,9 @@ ms.date: 10/08/2020
- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1)
- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2)
- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall)
+- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins)
+- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname)
+- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret)
- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 7bbf5190cd..a1717215e9 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -764,6 +764,29 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_DiskQuota policies
+
+
+ -
+ ADMX_DiskQuota/DQ_RemovableMedia
+
+ -
+ ADMX_DiskQuota/DQ_Enable
+
+ -
+ ADMX_DiskQuota/DQ_Enforce
+
+ -
+ ADMX_DiskQuota/DQ_LogEventOverLimit
+
+ -
+ ADMX_DiskQuota/DQ_LogEventOverThreshold
+
+ -
+ ADMX_DiskQuota/DQ_Limit
+
+
+
### ADMX_DistributedLinkTracking policies
@@ -1595,6 +1618,26 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_iSCSI policies
+
+
+ -
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins
+
+ -
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName
+
+ -
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret
+
+
+
### ADMX_kdc policies
-
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md
new file mode 100644
index 0000000000..928b7fe4ff
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md
@@ -0,0 +1,500 @@
+---
+title: Policy CSP - ADMX_DiskQuota
+description: Policy CSP - ADMX_DiskQuota
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 08/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DiskQuota
+
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+## ADMX_DiskQuota policies
+
+
+
+ -
+ ADMX_DiskQuota/DQ_RemovableMedia
+
+ -
+ ADMX_DiskQuota/DQ_Enable
+
+ -
+ ADMX_DiskQuota/DQ_Enforce
+
+ -
+ ADMX_DiskQuota/DQ_LogEventOverLimit
+
+ -
+ ADMX_DiskQuota/DQ_LogEventOverThreshold
+
+ -
+ ADMX_DiskQuota/DQ_Limit
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_RemovableMedia**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media.
+
+If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
+
+When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Apply policy to removable media*
+- GP name: *DQ_RemovableMedia*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_Enable**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.
+
+If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.
+
+If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. If this policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on.
+
+To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.
+
+This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit.
+
+To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
+
+To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management."
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable disk quotas*
+- GP name: *DQ_Enable*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_Enforce**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting.
+
+If you enable this policy setting, disk quota limits are enforced.
+
+If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in effect.
+
+If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available.
+
+This policy setting overrides user settings that enable or disable quota enforcement on their volumes.
+
+To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enforce disk quota limit*
+- GP name: *DQ_Enforce*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_LogEventOverLimit**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting.
+
+If you enable this policy setting, the system records an event when the user reaches their limit.
+
+If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting.
+
+This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes.
+
+To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Log event when quota limit is exceeded*
+- GP name: *DQ_LogEventOverLimit*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_LogEventOverThreshold**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume.
+
+If you enable this policy setting, the system records an event.
+
+If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect.
+
+If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes.
+
+To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Log event when quota warning level is exceeded*
+- GP name: *DQ_LogEventOverThreshold*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
+**ADMX_DiskQuota/DQ_Limit**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting specifies the default disk quota limit and warning level for new users of the volume.
+This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit.
+
+This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab.
+This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
+
+If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
+
+This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Specify default quota limit and warning level*
+- GP name: *DQ_Limit*
+- GP path: *System\Disk Quotas*
+- GP ADMX file name: *DiskQuota.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md
new file mode 100644
index 0000000000..f26e77cac0
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md
@@ -0,0 +1,249 @@
+---
+title: Policy CSP - ADMX_iSCSI
+description: Policy CSP - ADMX_iSCSI
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_iSCSI
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_iSCSI policies
+
+
+ -
+ ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins
+
+ -
+ ADMX_iSCSI/iSCSIGeneral_ChangeIQNName
+
+ -
+ ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret
+
+
+
+
+
+
+
+**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed.
+
+If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed.
+
+
+
+
+
+ADMX Info:
+- GP English name: *Do not allow manual configuration of iSNS servers*
+- GP name: *iSCSIGeneral_RestrictAdditionalLogins*
+- GP path: *System\iSCSI\iSCSI Target Discovery*
+- GP ADMX file name: *iSCSI.admx*
+
+
+
+
+
+
+**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed.
+
+If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed.
+
+
+
+
+ADMX Info:
+- GP English name: *Do not allow manual configuration of target portals*
+- GP name: *iSCSIGeneral_ChangeIQNName*
+- GP path: *System\iSCSI\iSCSI Target Discovery*
+- GP ADMX file name: *iSCSI.admx*
+
+
+
+
+
+
+**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+If enabled then do not allow the initiator CHAP secret to be changed.
+
+If disabled then the initiator CHAP secret may be changed.
+
+
+
+
+
+ADMX Info:
+- GP English name: *Do not allow changes to initiator CHAP secret*
+- GP name: *iSCSISecurity_ChangeCHAPSecret*
+- GP path: *System\iSCSI\iSCSI Security*
+- GP ADMX file name: *iSCSI.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index fc3d64ad92..6ea77fa9dc 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -456,7 +456,9 @@ items:
- name: ADMX_DigitalLocker
href: policy-csp-admx-digitallocker.md
- name: ADMX_DiskNVCache
- href: policy-csp-admx-disknvcache.md
+ href: policy-csp-admx-disknvcache.md
+ - name: ADMX_DiskQuota
+ href: policy-csp-admx-diskquota.md
- name: ADMX_DistributedLinkTracking
href: policy-csp-admx-distributedlinktracking.md
- name: ADMX_DnsClient
@@ -508,7 +510,9 @@ items:
- name: ADMX_ICM
href: policy-csp-admx-icm.md
- name: ADMX_IIS
- href: policy-csp-admx-iis.md
+ href: policy-csp-admx-iis.md
+ - name: ADMX_iSCSI
+ href: policy-csp-admx-iscsi.md
- name: ADMX_kdc
href: policy-csp-admx-kdc.md
- name: ADMX_Kerberos
From 3854ea2d0d67b6a26661a90690e0347869bc0211 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 08:52:02 +0530
Subject: [PATCH 13/32] Updated
---
.../mdm/policies-in-policy-csp-admx-backed.md | 2 +
.../policy-configuration-service-provider.md | 11 ++
.../mdm/policy-csp-admx-srmfci.md | 180 ++++++++++++++++++
windows/client-management/mdm/toc.yml | 2 +
4 files changed, 195 insertions(+)
create mode 100644 windows/client-management/mdm/policy-csp-admx-srmfci.md
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index c2fd311c26..940415d69f 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -997,6 +997,8 @@ ms.date: 10/08/2020
- [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities)
- [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers)
- [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public)
+- [ADMX_srmfci/EnableShellAccessCheck](./policy-csp-admx-srmfci.md#admx-srmfci-enableshellaccesscheck)
+- [ADMX_srmfci/AccessDeniedConfiguration](./policy-csp-admx-srmfci.md#admx-srmfci-accessdeniedconfiguration)
- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu)
- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit)
- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index a1717215e9..b445646a02 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -3582,6 +3582,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_srmfci policies
+
+
+ -
+ ADMX_srmfci/EnableShellAccessCheck
+
+ -
+ ADMX_srmfci/AccessDeniedConfiguration
+
+
+
### ADMX_StartMenu policies
diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md
new file mode 100644
index 0000000000..ade211ea40
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md
@@ -0,0 +1,180 @@
+---
+title: Policy CSP - ADMX_srmfci
+description: Policy CSP - ADMX_srmfci
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/18/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_srmfci
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_srmfci policies
+
+
+ -
+ ADMX_srmfci/EnableShellAccessCheck
+
+ -
+ ADMX_srmfci/AccessDeniedConfiguration
+
+
+
+
+
+
+
+**ADMX_srmfci/EnableShellAccessCheck**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Enable access-denied assistance on client for all file types*
+- GP name: *EnableShellAccessCheck*
+- GP path: *System\Access-Denied Assistance*
+- GP ADMX file name: *srmfci.admx*
+
+
+
+
+
+
+**ADMX_srmfci/AccessDeniedConfiguration**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access.
+
+If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied.
+
+If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration.
+
+If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Customize message for Access Denied errors*
+- GP name: *AccessDeniedConfiguration*
+- GP path: *System\Access-Denied Assistance*
+- GP ADMX file name: *srmfci.admx*
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 6ea77fa9dc..1e054a04b7 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -599,6 +599,8 @@ items:
href: policy-csp-admx-smartcard.md
- name: ADMX_Snmp
href: policy-csp-admx-snmp.md
+ - name: ADMX_srmfci
+ href: policy-csp-admx-srmfci.md
- name: ADMX_StartMenu
href: policy-csp-admx-startmenu.md
- name: ADMX_SystemRestore
From 801f87d0c91a0ebce677f1c352e1f84581043600 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 10:27:29 +0530
Subject: [PATCH 14/32] Updated
---
.../mdm/policies-in-policy-csp-admx-backed.md | 4 +
.../policy-configuration-service-provider.md | 22 ++
.../mdm/policy-csp-admx-tabletshell.md | 186 +++++++++++++++++
.../mdm/policy-csp-admx-terminalserver.md | 192 ++++++++++++++++++
windows/client-management/mdm/toc.yml | 4 +
5 files changed, 408 insertions(+)
create mode 100644 windows/client-management/mdm/policy-csp-admx-tabletshell.md
create mode 100644 windows/client-management/mdm/policy-csp-admx-terminalserver.md
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index 940415d69f..d8399c2efd 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -1067,6 +1067,8 @@ ms.date: 10/08/2020
- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff)
- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled)
- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig)
+- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1)
+- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1)
- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter)
- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications)
- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth)
@@ -1102,6 +1104,8 @@ ms.date: 10/08/2020
- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name)
- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state)
- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state)
+- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable)
+- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method)
- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails)
- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders)
- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index b445646a02..8ae9173a0f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -3807,6 +3807,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TabletShell policies
+
+
+ -
+ ADMX_TabletShell/DisableInkball_1
+
+ -
+ ADMX_TabletShell/DisableNoteWriterPrinting_1
+
+
+
### ADMX_Taskbar policies
@@ -3922,6 +3933,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_TerminalServer policies
+
+
+ -
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE
+
+ -
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD/a>
+
+
+
### ADMX_Thumbnails policies
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
new file mode 100644
index 0000000000..53648b8f57
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
@@ -0,0 +1,186 @@
+---
+title: Policy CSP - ADMX_TabletShell
+description: Policy CSP - ADMX_TabletShell
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/23/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_TabletShell
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_TabletShell policies
+
+
+ -
+ ADMX_TabletShell/DisableInkball_1
+
+ -
+ ADMX_TabletShell/DisableNoteWriterPrinting_1
+
+
+
+
+
+
+
+**ADMX_TabletShell/DisableInkball_1**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Prevents start of InkBall game.
+
+If you enable this policy, the InkBall game will not run.
+
+If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow Inkball to run*
+- GP name: *DisableInkball_1*
+- GP path: *Windows Components\Tablet PC\Accessories*
+- GP ADMX file name: *TabletShell.admx*
+
+
+
+
+
+
+
+**ADMX_TabletShell/DisableNoteWriterPrinting_1**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Prevents printing to Journal Note Writer.
+
+If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail.
+
+If you disable this policy, you will be able to use this feature to print to a Journal Note. If you do not configure this policy, users will be able to use this feature to print to a Journal Note.
+
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow printing to Journal Note Writer*
+- GP name: *DisableNoteWriterPrinting_1*
+- GP path: *Windows Components\Tablet PC\Accessories*
+- GP ADMX file name: *TabletShell.admx*
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
new file mode 100644
index 0000000000..ed42ebde3f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -0,0 +1,192 @@
+---
+title: Policy CSP - ADMX_TerminalServer
+description: Policy CSP - ADMX_TerminalServer
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 09/23/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_TerminalServer
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+## ADMX_TerminalServer policies
+
+
+ -
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE
+
+ -
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD
+
+
+
+
+
+
+
+**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session.
+
+If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone).
+
+If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
+
+Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later.
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Allow time zone redirection*
+- GP name: *TS_GATEWAY_POLICY_ENABLE*
+- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
+- GP ADMX file name: *TerminalServer.admx*
+
+
+
+
+
+
+
+**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD**
+
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session.
+
+You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection.
+
+If you enable this policy setting, users cannot redirect Clipboard data.
+
+If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
+
+If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
+
+
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Do not allow Clipboard redirection*
+- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD*
+- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
+- GP ADMX file name: *TerminalServer.admx*
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 1e054a04b7..497927b006 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -605,10 +605,14 @@ items:
href: policy-csp-admx-startmenu.md
- name: ADMX_SystemRestore
href: policy-csp-admx-systemrestore.md
+ - name: ADMX_TabletShell
+ href: policy-csp-admx-tabletshell.md
- name: ADMX_Taskbar
href: policy-csp-admx-taskbar.md
- name: ADMX_tcpip
href: policy-csp-admx-tcpip.md
+ - name: ADMX_TerminalServer
+ href: policy-csp-admx-terminalserver.md
- name: ADMX_Thumbnails
href: policy-csp-admx-thumbnails.md
- name: ADMX_TPM
From c5d15d05dc96cd7dc3117b4f7dd7545f480796ed Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 10:32:22 +0530
Subject: [PATCH 15/32] Update policy-csp-admx-diskquota.md
---
windows/client-management/mdm/policy-csp-admx-diskquota.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md
index 928b7fe4ff..83390e65e6 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskquota.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md
@@ -101,7 +101,7 @@ manager: dansimp
-This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media.
+This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media.
If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
@@ -252,7 +252,7 @@ This policy setting determines whether disk quota limits are enforced and preven
If you enable this policy setting, disk quota limits are enforced.
-If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in effect.
+If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available.
From 107f7928a3f2f2c120997e193dd204354e4a5d50 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 11:00:57 +0530
Subject: [PATCH 16/32] Update policy-csp-admx-diskquota.md
---
windows/client-management/mdm/policy-csp-admx-diskquota.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md
index 83390e65e6..7310f62ec1 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskquota.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md
@@ -174,7 +174,7 @@ This policy setting turns on and turns off disk quota management on all NTFS vol
If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.
-If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. If this policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on.
+If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. This policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on.
To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.
@@ -252,7 +252,7 @@ This policy setting determines whether disk quota limits are enforced and preven
If you enable this policy setting, disk quota limits are enforced.
-If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
+If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available.
From 3bead0be5f79b8dcae6b987ba70cd426cd5be428 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 11:08:16 +0530
Subject: [PATCH 17/32] Update policy-csp-admx-diskquota.md
---
windows/client-management/mdm/policy-csp-admx-diskquota.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md
index 7310f62ec1..16ccbf1dce 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskquota.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md
@@ -174,7 +174,7 @@ This policy setting turns on and turns off disk quota management on all NTFS vol
If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.
-If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. This policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on.
+If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on.
To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.
@@ -254,7 +254,7 @@ If you enable this policy setting, disk quota limits are enforced.
If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
-If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available.
+If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available.
This policy setting overrides user settings that enable or disable quota enforcement on their volumes.
From a06af9cf5d81ba43636d7c94fcb2b808f28c99e1 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 14:38:30 +0530
Subject: [PATCH 18/32] Update policies-in-policy-csp-admx-backed.md
---
.../mdm/policies-in-policy-csp-admx-backed.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index d8399c2efd..d2fdaa80a3 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -167,10 +167,10 @@ ms.date: 10/08/2020
- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
-- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_bootresumepolicy)
-- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_cachepowermodepolicy)
-- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_featureoffpolicy)
-- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-dlt_solidstatepolicy)
+- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy)
+- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-cachepowermodepolicy)
+- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy)
+- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy)
- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia)
- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable)
- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce)
From 38c328ae8e9b521604624093467a41c866acfd67 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 15:00:53 +0530
Subject: [PATCH 19/32] Updated
---
.../policy-configuration-service-provider.md | 2 +-
.../mdm/policy-csp-admx-disknvcache.md | 76 ++++++++++++++++++-
2 files changed, 76 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 8ae9173a0f..2f93d5a6f7 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -759,7 +759,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
ADMX_DiskNVCache/FeatureOffPolicy
- -
+
- 1
ADMX_DiskNVCache/SolidStatePolicy
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
index 7a22bcb596..faa88f82d6 100644
--- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -119,7 +119,7 @@ ADMX Info:
-**ADMX_DiskNVCache/FeatureOffPolicy**
+**ADMX_DiskNVCache/CachePowerModePolicy**
@@ -176,6 +176,78 @@ If you disable this policy setting, the system will manage the NV cache on the d
This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
+
+
+
+ADMX Info:
+- GP Friendly name: *Turn off non-volatile cache feature*
+- GP name: *FeatureOffPolicy*
+- GP path: *System\Disk NV Cache*
+- GP ADMX file name: *DiskNVCache.admx*
+
+
+
+
+**ADMX_DiskNVCache/FeatureOffPolicy**
+
+
+
+ | Edition |
+ Windows 10 |
+ Windows 11 |
+
+
+ | Home |
+ No |
+ No |
+
+
+ | Pro |
+ No |
+ No |
+
+
+ | Business |
+ No |
+ No |
+
+
+ | Enterprise |
+ Yes |
+ Yes |
+
+
+ | Education |
+ Yes |
+ Yes |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system.
+
+To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache.
+
+If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.
+
+If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured.
+
+This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
+
+
+
@@ -260,6 +332,8 @@ ADMX Info:
+
+
From 26c17be5993873ac7ff107b7f7ff9f1e0544acdc Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Mon, 27 Sep 2021 15:06:10 +0530
Subject: [PATCH 20/32] Updated
---
.../mdm/policies-in-policy-csp-admx-backed.md | 1 -
.../policy-configuration-service-provider.md | 3 -
.../mdm/policy-csp-admx-disknvcache.md | 73 -------------------
3 files changed, 77 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index d2fdaa80a3..4817994eaa 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -168,7 +168,6 @@ ms.date: 10/08/2020
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy)
-- [ADMX_DiskNVCache/CachePowerModePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-cachepowermodepolicy)
- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy)
- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy)
- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 2f93d5a6f7..37eb3df14f 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -753,9 +753,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
ADMX_DiskNVCache/BootResumePolicy
- -
- ADMX_DiskNVCache/CachePowerModePolicy
-
-
ADMX_DiskNVCache/FeatureOffPolicy
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
index faa88f82d6..2c19a0ace8 100644
--- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -31,9 +31,6 @@ manager: dansimp
-
ADMX_DiskNVCache/BootResumePolicy
- -
- ADMX_DiskNVCache/CachePowerModePolicy
-
-
ADMX_DiskNVCache/FeatureOffPolicy
@@ -118,76 +115,6 @@ ADMX Info:
-
-**ADMX_DiskNVCache/CachePowerModePolicy**
-
-
-
- | Edition |
- Windows 10 |
- Windows 11 |
-
-
- | Home |
- No |
- No |
-
-
- | Pro |
- No |
- No |
-
-
- | Business |
- No |
- No |
-
-
- | Enterprise |
- Yes |
- Yes |
-
-
- | Education |
- Yes |
- Yes |
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system.
-To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache.
-
- If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.
-
-If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured.
-
-This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Turn off non-volatile cache feature*
-- GP name: *FeatureOffPolicy*
-- GP path: *System\Disk NV Cache*
-- GP ADMX file name: *DiskNVCache.admx*
-
-
-
-
**ADMX_DiskNVCache/FeatureOffPolicy**
From 279f4a52425727e8414ed832c163ca36f05d82d6 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Tue, 28 Sep 2021 14:12:33 +0530
Subject: [PATCH 21/32] Updated
---
.../mdm/policy-csp-admx-appxpackagemanager.md | 22 ++-
.../mdm/policy-csp-admx-appxruntime.md | 52 ++----
.../mdm/policy-csp-admx-attachmentmanager.md | 61 ++-----
.../mdm/policy-csp-admx-auditsettings.md | 23 ++-
.../mdm/policy-csp-admx-bits.md | 163 +++++-------------
5 files changed, 98 insertions(+), 223 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
index 0b8b0533a4..4e924cb2a7 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AppxPackageManager
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+ > [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -62,8 +67,8 @@ manager: dansimp
| Education |
- No |
- No |
+ Yes |
+ Yes |
@@ -94,12 +99,7 @@ If you enable this policy setting, Group Policy allows deployment operations (ad
If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -112,7 +112,5 @@ ADMX Info:
-> [!NOTE]
-> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
index aaec3dafb9..74860dbb38 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AppXRuntime
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -71,8 +76,8 @@ manager: dansimp
| Education |
- No |
- No |
+ Yes |
+ Yes |
@@ -95,12 +100,7 @@ If you enable this policy setting, you can define additional Content URI Rules t
If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
-> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
ADMX Info:
@@ -145,8 +145,8 @@ ADMX Info: