deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into repo_sync_working_branch

Browse Source
This commit is contained in:
Diana Hanson 2021-10-01 11:07:18 -06:00 committed by GitHub
commit c2a466b747
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
74 changed files with 2586 additions and 569 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -167,6 +167,15 @@ ms.date: 10/08/2020
- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy)
- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy)
- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy)
- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia)
- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable)
- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce)
- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit)
- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold)
- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit)
- [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode)
- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
@ -404,6 +413,9 @@ ms.date: 10/08/2020
- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1)
- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2)
- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall)
- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins)
- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname)
- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret)
- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
@ -990,8 +1002,6 @@ ms.date: 10/08/2020
- [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities)
- [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers)
- [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public)
- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_1)
- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_2)
- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu)
- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit)
- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu)
@ -1060,6 +1070,8 @@ ms.date: 10/08/2020
- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff)
- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled)
- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig)
- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1)
- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1)
- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter)
- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications)
- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth)
@ -1095,6 +1107,8 @@ ms.date: 10/08/2020
- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name)
- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state)
- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method)
- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails)
- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders)
- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders)

88
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -747,6 +747,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_DiskNVCache policies
<dl>
<dd>
<a href="./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy" id="admx-disknvcache-bootresumepolicy">ADMX_DiskNVCache/BootResumePolicy</a>
</dd>
<dd>
<a href="./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy" id="admx-disknvcache-featureoffpolicy">ADMX_DiskNVCache/FeatureOffPolicy</a>
</dd>
<dd>
<a href="./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy" id="admx-disknvcache-solidstatepolicy">ADMX_DiskNVCache/SolidStatePolicy</a>
</dd>
<dl>
### ADMX_DiskQuota policies
<dl>
<dd>
<a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia" id="admx-diskquota-dq_removablemedia">ADMX_DiskQuota/DQ_RemovableMedia</a>
</dd>
<dd>
<a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable" id="admx-diskquota-dq_enable">ADMX_DiskQuota/DQ_Enable</a>
</dd>
<dd>
<a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce" id="admx-diskquota-dq_enforce">ADMX_DiskQuota/DQ_Enforce</a>
</dd>
<dd>
<a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit" id="admx-diskquota-dq_logeventoverlimit">ADMX_DiskQuota/DQ_LogEventOverLimit</a>
</dd>
<dd>
<a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold" id="admx-diskquota-dq_logeventoverthreshold">ADMX_DiskQuota/DQ_LogEventOverThreshold</a>
</dd>
<dd>
<a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit" id="admx-diskquota-dq_limit">ADMX_DiskQuota/DQ_Limit</a>
</dd>
<dl>
### ADMX_DistributedLinkTracking policies
<dl>
@ -1578,6 +1615,26 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
<dl>
### ADMX_iSCSI policies
<dl>
<dd>
<a href="./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins
" id="admx-iscsi-iscsigeneral_restrictadditionallogins
">ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins</a>
</dd>
<dd>
<a href="./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname
" id="admx-iscsi-iscsigeneral_changeiqnname
">ADMX_iSCSI/iSCSIGeneral_ChangeIQNName</a>
</dd>
<dd>
<a href="./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret
" id="admx-iscsi-iscsisecurity_changechapsecret
">ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret</a>
</dd>
<dl>
### ADMX_kdc policies
<dl>
<dd>
@ -3553,15 +3610,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<a href="./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public" id="admx-snmp-snmp-traps-public">ADMX_Snmp/SNMP_Traps_Public</a>
</dd>
</dl>
### ADMX_SoundRec policies
<dl>
<dd>
<a href="./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_1" id="admx-soundrec-soundrec_diableapplication_titletext_1">ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_2" id="admx-soundrec-soundrec_diableapplication_titletext_2">ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2</a>
</dd>
<dl>
@ -3779,6 +3827,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_TabletShell policies
<dl>
<dd>
<a href="./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1" ID="admx-tabletshell-disableinkball_1">ADMX_TabletShell/DisableInkball_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1" ID="admx-tabletshell-disablenotewriterprinting_1">ADMX_TabletShell/DisableNoteWriterPrinting_1</a>
</dd>
<dl>
### ADMX_Taskbar policies
<dl>
@ -3894,6 +3953,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_TerminalServer policies
<dl>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable" id="admx-terminalserver-ts_gateway_policy_enable">ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method" id="admx-terminalserver-ts_gateway_policy_auth_method">ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD</a>
</dd>
<dl>
### ADMX_Thumbnails policies
<dl>

1
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -156,6 +156,5 @@ The following list shows the supported values:
<!--/Policy-->
<hr/>
<!--/Policies-->

23
windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
View File

@ -81,24 +81,7 @@ manager: dansimp
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -170,8 +153,6 @@ ADMX Info:
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
@ -180,8 +161,6 @@ ADMX Info:
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>

2
windows/client-management/mdm/policy-csp-admx-appcompat.md
View File

@ -75,8 +75,6 @@ manager: dansimp
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>

40
windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AppxPackageManager
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -36,28 +41,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -74,7 +85,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile.
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile.
Special profiles are the following user profiles, where changes are discarded after the user signs off:
@ -88,12 +99,7 @@ If you enable this policy setting, Group Policy allows deployment operations (ad
If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -106,7 +112,5 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

125
windows/client-management/mdm/policy-csp-admx-appxruntime.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AppXRuntime
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -45,29 +50,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<td>Yes</td>
<td>Yes</td>
</table>
<!--/SupportedSKUs-->
@ -83,19 +93,14 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -114,28 +119,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -153,19 +164,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -184,28 +189,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -222,7 +233,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected.
@ -232,12 +243,6 @@ If you disable or do not configure this policy setting, all Universal Windows ap
> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -256,28 +261,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -295,7 +306,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
@ -305,12 +316,6 @@ If you disable or do not configure this policy setting, Windows Store apps can o
> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -323,8 +328,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

152
windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_AttachmentManager
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -48,28 +53,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -86,7 +97,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.
This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.
Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files.
@ -99,12 +110,6 @@ If you disable this policy setting, Windows uses its default trust logic, which
If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -123,28 +128,33 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<td>No</td>
<td>No</td>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -161,7 +171,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.
This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.
High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.
@ -176,12 +186,6 @@ If you disable this policy setting, Windows sets the default risk level to moder
If you do not configure this policy setting, Windows sets the default risk level to moderate.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -200,28 +204,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -238,7 +248,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).
This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can create a custom list of high-risk file types.
@ -247,12 +257,6 @@ If you disable this policy setting, Windows uses its built-in list of file types
If you do not configure this policy setting, Windows uses its built-in list of high-risk file types.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -271,28 +275,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -309,7 +319,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types that pose a low risk.
@ -318,12 +328,6 @@ If you disable this policy setting, Windows uses its default trust logic.
If you do not configure this policy setting, Windows uses its default trust logic.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -342,28 +346,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -380,7 +390,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list).
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types which pose a moderate risk.
@ -389,12 +399,6 @@ If you disable this policy setting, Windows uses its default trust logic.
If you do not configure this policy setting, Windows uses its default trust logic.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -407,7 +411,5 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

41
windows/client-management/mdm/policy-csp-admx-auditsettings.md
View File

@ -12,9 +12,14 @@ ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_AuditSettings
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
# Policy CSP - ADMX_AuditSettings.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -36,28 +41,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -74,7 +85,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
@ -86,12 +97,6 @@ Default is Not configured.
> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -104,8 +109,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

411
windows/client-management/mdm/policy-csp-admx-bits.md
View File

@ -13,8 +13,13 @@ manager: dansimp
---
# Policy CSP - ADMX_Bits
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
@ -75,28 +80,34 @@ manager: dansimp
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -113,7 +124,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default.
This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default.
If you enable this policy setting, the BITS client does not use Windows Branch Cache.
@ -121,14 +132,8 @@ If you disable or do not configure this policy setting, the BITS client uses Win
> [!NOTE]
> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -147,28 +152,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -185,7 +196,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers.
@ -195,12 +206,7 @@ If you disable or do not configure this policy setting, the computer attempts to
> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -219,28 +225,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -257,7 +269,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers.
@ -267,12 +279,7 @@ If you disable or do not configure this policy setting, the computer will offer
> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -292,28 +299,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -330,7 +343,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner.
This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner.
If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server.
@ -339,12 +352,7 @@ If you enable this policy setting, BITS downloads files from peers, caches the f
If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -364,28 +372,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -402,7 +416,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server).
This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server).
To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps.
@ -416,12 +430,6 @@ If you disable this policy setting or do not configure it, the default value of
> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -440,28 +448,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -478,7 +492,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers.
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers.
If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
@ -490,12 +504,6 @@ If you disable or do not configure this policy setting, the limits defined for w
> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -515,28 +523,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -553,7 +567,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours.
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours.
If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
@ -562,12 +576,6 @@ You can specify a limit to use for background jobs during a work schedule. For e
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -587,28 +595,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -625,7 +639,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache.
This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache.
If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent.
@ -635,12 +649,6 @@ If you disable or do not configure this policy setting, the default size of the
> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -659,28 +667,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -707,12 +721,6 @@ If you disable or do not configure this policy setting, files that have not been
> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -731,28 +739,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -769,7 +783,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job.
This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job.
The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state.
@ -780,12 +794,7 @@ If you enable this policy setting, you can set the maximum job download time to
If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -804,28 +813,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -842,7 +857,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain.
This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain.
If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number.
@ -852,12 +867,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul
> BITS Jobs created by services and the local administrator account do not count toward this limit.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -876,28 +886,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -914,7 +930,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs.
This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs.
If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number.
@ -924,12 +940,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul
> BITS jobs created by services and the local administrator account do not count toward this limit.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -948,28 +959,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -986,7 +1003,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create.
This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create.
If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number.
@ -996,12 +1013,7 @@ If you disable or do not configure this policy setting, BITS will use the defaul
> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -1020,28 +1032,34 @@ ADMX Info:
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
@ -1058,7 +1076,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file.
This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file.
If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number.
@ -1068,12 +1086,7 @@ If you disable or do not configure this policy setting, BITS will limit ranges t
> BITS Jobs created by services and the local administrator account do not count toward this limit.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
@ -1086,8 +1099,6 @@ ADMX Info:
<!--/Policy-->
<hr/>
> [!NOTE]
> These policies are currently only available as part of a Windows Insider release.
<!--/Policies-->

266
windows/client-management/mdm/policy-csp-admx-disknvcache.md Normal file
View File

@ -0,0 +1,266 @@
---
title: Policy CSP - ADMX_DiskNVCache
description: Policy CSP - ADMX_DiskNVCache
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_DiskNVCache
<hr/>
<!--Policies-->
## ADMX_DiskNVCache policies
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<dl>
<dd>
<a href="#admx-disknvcache-bootresumepolicy">ADMX_DiskNVCache/BootResumePolicy</a>
</dd>
<dd>
<a href="#admx-disknvcache-featureoffpolicy">ADMX_DiskNVCache/FeatureOffPolicy</a>
</dd>
<dd>
<a href="#admx-disknvcache-solidstatepolicy">ADMX_DiskNVCache/SolidStatePolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-disknvcache-bootresumepolicy"></a>**ADMX_DiskNVCache/BootResumePolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.
If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.
If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume.
The system determines the data that will be stored in the NV cache to optimize boot and resume.
The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
This policy setting is applicable only if the NV cache feature is on.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off boot and resume optimizations*
- GP name: *BootResumePolicy*
- GP path: *System\Disk NV Cache*
- GP ADMX file name: *DiskNVCache.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<a href="" id="admx-disknvcache-featureoffpolicy"></a>**ADMX_DiskNVCache/FeatureOffPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system.
To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache.
If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.
If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured.
This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off non-volatile cache feature*
- GP name: *FeatureOffPolicy*
- GP path: *System\Disk NV Cache*
- GP ADMX file name: *DiskNVCache.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-disknvcache-solidstatepolicy"></a>**ADMX_DiskNVCache/SolidStatePolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting turns off the solid state mode for the hybrid hard disks.
If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache.
If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off solid state mode*
- GP name: *SolidStatePolicy*
- GP path: *System\Disk NV Cache*
- GP ADMX file name: *DiskNVCache.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

500
windows/client-management/mdm/policy-csp-admx-diskquota.md Normal file
View File

@ -0,0 +1,500 @@
---
title: Policy CSP - ADMX_DiskQuota
description: Policy CSP - ADMX_DiskQuota
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_DiskQuota
<hr/>
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--Policies-->
## ADMX_DiskQuota policies
<dl>
<dd>
<a href="#admx-diskquota-dq_removablemedia">ADMX_DiskQuota/DQ_RemovableMedia</a>
</dd>
<dd>
<a href="#admx-diskquota-dq_enable">ADMX_DiskQuota/DQ_Enable</a>
</dd>
<dd>
<a href="#admx-diskquota-dq_enforce">ADMX_DiskQuota/DQ_Enforce</a>
</dd>
<dd>
<a href="#admx-diskquota-dq_logeventoverlimit">ADMX_DiskQuota/DQ_LogEventOverLimit</a>
</dd>
<dd>
<a href="#admx-diskquota-dq_logeventoverthreshold">ADMX_DiskQuota/DQ_LogEventOverThreshold</a>
</dd>
<dd>
<a href="#admx-diskquota-dq_limit">ADMX_DiskQuota/DQ_Limit</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-diskquota-dq_removablemedia"></a>**ADMX_DiskQuota/DQ_RemovableMedia**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media.
If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Apply policy to removable media*
- GP name: *DQ_RemovableMedia*
- GP path: *System\Disk Quotas*
- GP ADMX file name: *DiskQuota.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-diskquota-dq_enable"></a>**ADMX_DiskQuota/DQ_Enable**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.
If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.
If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on.
To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.
This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit.
To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management."
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable disk quotas*
- GP name: *DQ_Enable*
- GP path: *System\Disk Quotas*
- GP ADMX file name: *DiskQuota.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-diskquota-dq_enforce"></a>**ADMX_DiskQuota/DQ_Enforce**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting.
If you enable this policy setting, disk quota limits are enforced.
If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available.
This policy setting overrides user settings that enable or disable quota enforcement on their volumes.
To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enforce disk quota limit*
- GP name: *DQ_Enforce*
- GP path: *System\Disk Quotas*
- GP ADMX file name: *DiskQuota.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-diskquota-dq_logeventoverlimit"></a>**ADMX_DiskQuota/DQ_LogEventOverLimit**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting.
If you enable this policy setting, the system records an event when the user reaches their limit.
If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting.
This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes.
To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Log event when quota limit is exceeded*
- GP name: *DQ_LogEventOverLimit*
- GP path: *System\Disk Quotas*
- GP ADMX file name: *DiskQuota.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-diskquota-dq_logeventoverthreshold"></a>**ADMX_DiskQuota/DQ_LogEventOverThreshold**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume.
If you enable this policy setting, the system records an event.
If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect.
If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes.
To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Log event when quota warning level is exceeded*
- GP name: *DQ_LogEventOverThreshold*
- GP path: *System\Disk Quotas*
- GP ADMX file name: *DiskQuota.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-diskquota-dq_limit"></a>**ADMX_DiskQuota/DQ_Limit**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting specifies the default disk quota limit and warning level for new users of the volume.
This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit.
This setting overrides new users settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab.
This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Specify default quota limit and warning level*
- GP name: *DQ_Limit*
- GP path: *System\Disk Quotas*
- GP ADMX file name: *DiskQuota.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

249
windows/client-management/mdm/policy-csp-admx-iscsi.md Normal file
View File

@ -0,0 +1,249 @@
---
title: Policy CSP - ADMX_iSCSI
description: Policy CSP - ADMX_iSCSI
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 12/17/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_iSCSI
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## ADMX_iSCSI policies
<dl>
<dd>
<a href="#admx-iscsi-iscsigeneral_restrictadditionallogins">ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins</a>
</dd>
<dd>
<a href="#admx-iscsi-iscsigeneral_changeiqnname">ADMX_iSCSI/iSCSIGeneral_ChangeIQNName</a>
</dd>
<dd>
<a href="#admx-iscsi-iscsisecurity_changechapsecret">ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-iscsi-iscsigeneral_restrictadditionallogins"></a>**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed.
If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow manual configuration of iSNS servers*
- GP name: *iSCSIGeneral_RestrictAdditionalLogins*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-iscsi-iscsigeneral_changeiqnname"></a>**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed.
If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow manual configuration of target portals*
- GP name: *iSCSIGeneral_ChangeIQNName*
- GP path: *System\iSCSI\iSCSI Target Discovery*
- GP ADMX file name: *iSCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-iscsi-iscsisecurity_changechapsecret"></a>**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
If enabled then do not allow the initiator CHAP secret to be changed.
If disabled then the initiator CHAP secret may be changed.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Do not allow changes to initiator CHAP secret*
- GP name: *iSCSISecurity_ChangeCHAPSecret*
- GP path: *System\iSCSI\iSCSI Security*
- GP ADMX file name: *iSCSI.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

180
windows/client-management/mdm/policy-csp-admx-srmfci.md Normal file
View File

@ -0,0 +1,180 @@
---
title: Policy CSP - ADMX_srmfci
description: Policy CSP - ADMX_srmfci
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/18/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_srmfci
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## ADMX_srmfci policies
<dl>
<dd>
<a href="#admx-srmfci-enableshellaccesscheck">ADMX_srmfci/EnableShellAccessCheck</a>
</dd>
<dd>
<a href="#admx-srmfci-accessdeniedconfiguration">ADMX_srmfci/AccessDeniedConfiguration</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-srmfci-enableshellaccesscheck"></a>**ADMX_srmfci/EnableShellAccessCheck**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable access-denied assistance on client for all file types*
- GP name: *EnableShellAccessCheck*
- GP path: *System\Access-Denied Assistance*
- GP ADMX file name: *srmfci.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-srmfci-accessdeniedconfiguration"></a>**ADMX_srmfci/AccessDeniedConfiguration**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access.
If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied.
If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration.
If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Customize message for Access Denied errors*
- GP name: *AccessDeniedConfiguration*
- GP path: *System\Access-Denied Assistance*
- GP ADMX file name: *srmfci.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

186
windows/client-management/mdm/policy-csp-admx-tabletshell.md Normal file
View File

@ -0,0 +1,186 @@
---
title: Policy CSP - ADMX_TabletShell
description: Policy CSP - ADMX_TabletShell
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/23/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_TabletShell
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## ADMX_TabletShell policies
<dl>
<dd>
<a href="#admx-tabletshell-disableinkball_1">ADMX_TabletShell/DisableInkball_1</a>
</dd>
<dd>
<a href="#admx-tabletshell-disablenotewriterprinting_1">ADMX_TabletShell/DisableNoteWriterPrinting_1</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-tabletshell-disableinkball_1"></a>**ADMX_TabletShell/DisableInkball_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Prevents start of InkBall game.
If you enable this policy, the InkBall game will not run.
If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow Inkball to run*
- GP name: *DisableInkball_1*
- GP path: *Windows Components\Tablet PC\Accessories*
- GP ADMX file name: *TabletShell.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-tabletshell-disablenotewriterprinting_1"></a>**ADMX_TabletShell/DisableNoteWriterPrinting_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Prevents printing to Journal Note Writer.
If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail.
If you disable this policy, you will be able to use this feature to print to a Journal Note. If you do not configure this policy, users will be able to use this feature to print to a Journal Note.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow printing to Journal Note Writer*
- GP name: *DisableNoteWriterPrinting_1*
- GP path: *Windows Components\Tablet PC\Accessories*
- GP ADMX file name: *TabletShell.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

192
windows/client-management/mdm/policy-csp-admx-terminalserver.md Normal file
View File

@ -0,0 +1,192 @@
---
title: Policy CSP - ADMX_TerminalServer
description: Policy CSP - ADMX_TerminalServer
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/23/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_TerminalServer
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## ADMX_TerminalServer policies
<dl>
<dd>
<a href="#admx-terminalserver-ts_gateway_policy_enable">ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE</a>
</dd>
<dd>
<a href="#admx-terminalserver-ts_gateway_policy_auth_method">ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-terminalserver-ts_gateway_policy_enable"></a>**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session.
If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone).
If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow time zone redirection*
- GP name: *TS_GATEWAY_POLICY_ENABLE*
- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
- GP ADMX file name: *TerminalServer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-terminalserver-ts_gateway_policy_auth_method"></a>**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session.
You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection.
If you enable this policy setting, users cannot redirect Clipboard data.
If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Do not allow Clipboard redirection*
- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD*
- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
- GP ADMX file name: *TerminalServer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

14
windows/client-management/mdm/toc.yml
View File

@ -455,6 +455,10 @@ items:
href: policy-csp-admx-dfs.md
- name: ADMX_DigitalLocker
href: policy-csp-admx-digitallocker.md
- name: ADMX_DiskNVCache
href: policy-csp-admx-disknvcache.md
- name: ADMX_DiskQuota
href: policy-csp-admx-diskquota.md
- name: ADMX_DistributedLinkTracking
href: policy-csp-admx-distributedlinktracking.md
- name: ADMX_DnsClient
@ -506,7 +510,9 @@ items:
- name: ADMX_ICM
href: policy-csp-admx-icm.md
- name: ADMX_IIS
href: policy-csp-admx-iis.md
href: policy-csp-admx-iis.md
- name: ADMX_iSCSI
href: policy-csp-admx-iscsi.md
- name: ADMX_kdc
href: policy-csp-admx-kdc.md
- name: ADMX_Kerberos
@ -599,16 +605,18 @@ items:
href: policy-csp-admx-smartcard.md
- name: ADMX_Snmp
href: policy-csp-admx-snmp.md
- name: ADMX_SoundRec
href: policy-csp-admx-soundrec.md
- name: ADMX_StartMenu
href: policy-csp-admx-startmenu.md
- name: ADMX_SystemRestore
href: policy-csp-admx-systemrestore.md
- name: ADMX_TabletShell
href: policy-csp-admx-tabletshell.md
- name: ADMX_Taskbar
href: policy-csp-admx-taskbar.md
- name: ADMX_tcpip
href: policy-csp-admx-tcpip.md
- name: ADMX_TerminalServer
href: policy-csp-admx-terminalserver.md
- name: ADMX_Thumbnails
href: policy-csp-admx-thumbnails.md
- name: ADMX_TPM

269
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -80,7 +80,9 @@ To include the on-premises distinguished name in the certificate's subject, Azur
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
1. Open **Synchronization Services** from the **Azure AD Connect** folder.
2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized
@ -88,9 +90,13 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad
The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
2. Click **Login** and provide Azure credentials
3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png)
## Prepare the Network Device Enrollment Services (NDES) Service Account
@ -102,9 +108,13 @@ The deployment uses the **NDES Servers** security group to assign the NDES servi
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
2. Expand the domain node from the navigation pane.
3. Right-click the **Users** container. Hover over **New** and click **Group**.
4. Type **NDES Servers** in the **Group Name** text box.
5. Click **OK**.
### Add the NDES server to the NDES Servers global security group
@ -112,8 +122,11 @@ Sign-in to a domain controller or management workstation with access equivalent
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
2. Expand the domain node from the navigation pane.
3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group**.
4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
> [!NOTE]
@ -126,8 +139,11 @@ The Network Device Enrollment Services (NDES) role runs under a service account.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. In the navigation pane, expand the node that has your domain name. Select **Users**.
2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**.
3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**.
4. Click **Finish**.
> [!IMPORTANT]
@ -140,15 +156,25 @@ The Group Policy object ensures the NDES Service account has the proper user rig
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click **Group Policy object** and select **New**.
4. Type **NDES Service Rights** in the name box and click **OK**.
5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times.
11. Close the **Group Policy Management Editor**.
### Configure security for the NDES Service User Rights Group Policy object
@ -158,10 +184,15 @@ The best way to deploy the **NDES Service User Rights** Group Policy object is t
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Double-click the **NDES Service User Rights** Group Policy object.
4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**.
5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
### Deploy the NDES Service User Rights Group Policy object
@ -171,7 +202,9 @@ The application of the **NDES Service User Rights** Group Policy object uses sec
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc)
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
> [!IMPORTANT]
@ -197,7 +230,7 @@ Sign-in to the issuing certificate authority with access equivalent to _local ad
1. Open an elevated command prompt and type the following command:
```
```console
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
```
@ -210,18 +243,26 @@ NDES uses a server authentication certificate to authenticate the server endpoin
Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
5. On the **Subject** tab, select **Supply in the request**.
6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
7. On the **Security** tab, click **Add**.
8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template
@ -231,20 +272,30 @@ During Windows Hello for Business provisioning, Windows requests an authenticat
Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Subject** tab, select **Supply in the request**.
9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
12. Close the console.
### Publish certificate templates
@ -257,10 +308,15 @@ The certificate authority may only issue certificates for certificate templates
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane.
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. Close the console.
## Install and Configure the NDES Role
@ -282,18 +338,31 @@ Install the Network Device Enrollment Service role on a computer other than the
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open **Server Manager** on the NDES server.
2. Click **Manage**. Click **Add Roles and Features**.
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png)
4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png)
Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png)
![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png)
5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png)
6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
7. Click **Next** on the **Web Server Role (IIS)** page.
8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
- **Web Server > Security > Request Filtering**
@ -303,10 +372,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
- **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
> [!IMPORTANT]
> .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png)
![.NET Side by Side.](images/aadjcert/dotnet35sidebyside.png)
### Configure the NDES service account
@ -317,8 +389,11 @@ This task adds the NDES service account to the local IIS_USRS group. The task a
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
4. Close the management console.
#### Register a Service Principal Name on the NDES Service account
@ -326,13 +401,16 @@ Sign-in the NDES server with access equivalent to _local administrator_.
Sign-in the NDES server with access equivalent to _Domain Admins_.
1. Open an elevated command prompt.
2. Type the following command to register the service principal name
```
```console
setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
```
where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following:
```
```console
setspn -s http/ndes.corp.contoso.com contoso\ndessvc
```
@ -348,17 +426,29 @@ The NDES service enrolls certificates on behalf of users. Therefore, you want t
Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers**
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png)
3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**.
5. Click **Add**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**.
![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates
@ -375,18 +465,31 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
1. Click the **Configure Active Directory Certificate Services on the destination server** link.
2. On the **Credentials** page, click **Next**.
![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png)
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
![NDES Role Services.](images/aadjcert/ndesconfig02.png)
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png)
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
![NDES CA selection.](images/aadjcert/ndesconfig04.png)
6. On the **RA Information**, click **Next**.
7. On the **Cryptography for NDES** page, click **Next**.
8. Review the **Confirmation** page. Click **Configure**.
![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
9. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES
@ -412,18 +515,23 @@ If the need arises, you can configure a signature certificate in the encryption
Sign-in to the NDES Server with _local administrator_ equivalent credentials.
1. Open an elevated command prompt.
2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
3. Type the following command:
```
```console
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
```
where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
```
```console
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
```
4. Type **Y** when the command asks for permission to overwrite the existing value.
5. Close the command prompt.
> [!IMPORTANT]
@ -444,21 +552,34 @@ Connector group automatically round-robin, load balance the Azure AD Application
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
> [!IMPORTANT]
> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group
@ -466,12 +587,19 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
6. Click **Save**.
#### Create the Azure Application Proxy
@ -479,17 +607,29 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Configure an app**.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
8. Select **Passthrough** from the **Pre Authentication** list.
9. Select **NDES WHFB Connectors** from the **Connector Group** list.
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
11. Click **Add**.
12. Sign-out of the Azure Portal.
> [!IMPORTANT]
@ -502,16 +642,27 @@ This task enrolls a client and server authentication certificate used by the Int
Sign-in the NDES server with access equivalent to _local administrators_.
1. Start the Local Computer **Certificate Manager** (certlm.msc).
2. Expand the **Personal** node in the navigation pane.
3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
4. Click **Next** on the **Before You Begin** page.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
10. Click **Enroll**
11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
### Configure the Web Server Role
@ -521,15 +672,25 @@ This task configures the Web Server role on the NDES server to use the server au
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
3. Click **Bindings...*** under **Actions**. Click **Add**.
3. Click **Bindings...** under **Actions**. Click **Add**.
![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**.
### Verify the configuration
@ -541,18 +702,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
#### Disable Internet Explorer Enhanced Security Configuration
1. Open **Server Manager**. Click **Local Server** from the navigation pane.
2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**.
4. Close **Server Manager**.
#### Test the NDES web server
1. Open **Internet Explorer**.
2. In the navigation bar, type
```
```https
https://[fqdnHostName]/certsrv/mscep/mscep.dll
```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source.
@ -560,6 +726,7 @@ A web page similar to the following should appear in your web browser. If you d
![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
Confirm the web site uses the server authentication certificate.
![NDES IIS Console: Confirm](images/aadjcert/ndes-https-website-test-01-show-cert.png)
## Configure Network Device Enrollment Services to work with Microsoft Intune
@ -575,23 +742,34 @@ Sign-in the NDES server with access equivalent to _local administrator_.
#### Configure the Default Web Site
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png)
4. Select **Allow unlisted file name extensions**.
5. Select **Allow unlisted verbs**.
6. Select **Allow high-bit characters**.
7. Type **30000000** in **Maximum allowed content length (Bytes)**.
8. Type **65534** in **Maximum URL length (Bytes)**.
9. Type **65534** in **Maximum query string (Bytes)**.
10. Click **OK**. Close **Internet Information Services (IIS) Manager**.
#### Configure Parameters for HTTP.SYS
1. Open an elevated command prompt.
2. Run the following commands:
```
```console
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
```
@ -607,10 +785,15 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
![Intune Certificate Authority.](images/aadjcert/profile01.png)
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
5. Sign-out of the Microsoft Endpoint Manager admin center.
### Install the Intune Certificate Connector
@ -618,27 +801,39 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in the NDES server with access equivalent to _domain administrator_.
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
3. On the **Microsoft Intune** page, click **Next**.
![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png)
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
5. On the **Destination Folder** page, click **Next**.
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png)
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png)
> [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png)
> [!NOTE]
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png)
### Configure the Intune Certificate Connector
@ -651,9 +846,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
> If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png)
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png)
> [!IMPORTANT]
@ -671,9 +868,13 @@ Optionally (not required), you can configure the Intune connector for certificat
Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
1. Start the **Certification Authority** management console.
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png)
4. Close the **Certification Authority**
#### Enable the NDES Connector for certificate revocation
@ -681,8 +882,11 @@ Sign-in the certificate authority used by the NDES Connector with access equival
Sign-in the NDES server with access equivalent to _domain administrator_.
1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png)
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
### Test the NDES Connector
@ -690,23 +894,28 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt.
2. Type the following command to confirm the NDES Connector's last connection time is current.
```
```console
reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
```
3. Close the command prompt.
4. Open **Internet Explorer**.
5. In the navigation bar, type:
```
```console
https://[fqdnHostName]/certsrv/mscep/mscep.dll
```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@ -716,14 +925,23 @@ Sign-in the NDES server with access equivalent to _domain admin_.
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Click **Groups**. Click **New group**.
4. Select **Security** from the **Group type** list.
5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**.
6. Provide a **Group description**, if applicable.
7. Select **Assigned** from the **Membership type** list.
![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**.
### Create a SCEP Certificate Profile
@ -731,20 +949,30 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Create Profile**.
![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png)
4. Select **Windows 10 and later** from the **Platform** list.
5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
8. Select **User** as a certificate type.
9. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
> [!NOTE]
@ -752,13 +980,21 @@ Sign-in a workstation with access equivalent to a _domain user_.
> If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
18. Click **Next**.
19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
@ -766,12 +1002,19 @@ Sign-in a workstation with access equivalent to a _domain user_.
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Click **WHFB Certificate Enrollment**.
4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png)
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
7. Click **Review + Save**, and then **Save**.
You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png → windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 270 KiB

After

Width:  |  Height:  |  Size: 270 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 139 KiB

After

Width:  |  Height:  |  Size: 139 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 118 KiB

After

Width:  |  Height:  |  Size: 118 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 125 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 327 KiB

After

Width:  |  Height:  |  Size: 327 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 273 KiB

After

Width:  |  Height:  |  Size: 273 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 134 KiB

After

Width:  |  Height:  |  Size: 134 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png → windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 256 KiB

After

Width:  |  Height:  |  Size: 256 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png → windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 353 KiB

After

Width:  |  Height:  |  Size: 353 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 323 KiB

After

Width:  |  Height:  |  Size: 323 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 274 KiB

After

Width:  |  Height:  |  Size: 274 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 298 KiB

After

Width:  |  Height:  |  Size: 298 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 271 KiB

After

Width:  |  Height:  |  Size: 271 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 343 KiB

After

Width:  |  Height:  |  Size: 343 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 198 KiB

After

Width:  |  Height:  |  Size: 198 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 156 KiB

After

Width:  |  Height:  |  Size: 156 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png → windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 184 KiB

After

Width:  |  Height:  |  Size: 184 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 164 KiB

After

Width:  |  Height:  |  Size: 164 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 414 KiB

After

Width:  |  Height:  |  Size: 414 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 297 KiB

After

Width:  |  Height:  |  Size: 297 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 355 KiB

After

Width:  |  Height:  |  Size: 355 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 432 KiB

After

Width:  |  Height:  |  Size: 432 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 327 KiB

After

Width:  |  Height:  |  Size: 327 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png → windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 730 KiB

After

Width:  |  Height:  |  Size: 730 KiB

0
windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png → windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 314 KiB

After

Width:  |  Height:  |  Size: 314 KiB

6
windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card and Remote Desktop Services (Windows 10)
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card and Remote Desktop Services
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.

6
windows/security/identity-protection/smart-cards/smart-card-architecture.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card Architecture (Windows 10)
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Architecture
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.

6
windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
View File

@ -1,5 +1,5 @@
---
title: Certificate Propagation Service (Windows 10)
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 08/24/2021
ms.reviewer:
---
# Certificate Propagation Service
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.

8
windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
View File

@ -1,5 +1,5 @@
---
title: Certificate Requirements and Enumeration (Windows 10)
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Certificate Requirements and Enumeration
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system.
The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** |
| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CRL distribution point location | Not required | The location must be specified, online, and available, for example:<br>\[1\]CRL Distribution Point<br>Distribution Point Name:<br>Full Name:<br>URL=<http://server1.contoso.com/CertEnroll/caname.crl> |
| Key usage | Digital signature | Digital signature |

6
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card Troubleshooting (Windows 10)
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Troubleshooting
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This article explains tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.

6
windows/security/identity-protection/smart-cards/smart-card-events.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card Events (Windows 10)
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Events
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.

6
windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card Group Policy and Registry Settings (Windows 10)
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/23/2021
ms.reviewer:
---
# Smart Card Group Policy and Registry Settings
Applies to: Windows 10, Windows Server 2016
Applies to: Windows 10, Windows 11, Windows Server 2016 and above
This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.

6
windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
View File

@ -1,5 +1,5 @@
---
title: How Smart Card Sign-in Works in Windows (Windows 10)
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# How Smart Card Sign-in Works in Windows
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:

8
windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card Removal Policy Service (Windows 10)
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,17 +12,17 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Removal Policy Service
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016
This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
The smart card removal policy service is applicable when a user has signed in with a smart card and subsequently removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
**Smart card removal policy service**

8
windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
View File

@ -1,5 +1,5 @@
---
title: Smart Cards for Windows Service (Windows 10)
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Cards for Windows Service
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
@ -26,7 +26,7 @@ The Smart Cards for Windows service provides the basic infrastructure for all ot
The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
```
```PowerShell
<serviceData
dependOnService="PlugPlay"
description="@%SystemRoot%\System32\SCardSvr.dll,-5"

6
windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card Tools and Settings (Windows 10)
title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Tools and Settings
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.

6
windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
View File

@ -1,5 +1,5 @@
---
title: Smart Card Technical Reference (Windows 10)
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: w10
ms.mktglfcycl: deploy
@ -12,13 +12,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
ms.reviewer:
---
# Smart Card Technical Reference
Applies To: Windows 10, Windows Server 2016
Applies To: Windows 10, Windows 11, Windows Server 2016 and above
The Smart Card Technical Reference describes the Windows smart card infrastructure for physical smart cards and how smart card-related components work in Windows. This document also contains information about tools that information technology (IT) developers and administrators can use to troubleshoot, debug, and deploy smart card-based strong authentication in the enterprise.

26
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -1,5 +1,5 @@
---
title: How User Account Control works (Windows 10)
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
ms.reviewer:
@ -14,21 +14,23 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/16/2018
ms.date: 09/23/2021
---
# How User Account Control works
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
## UAC process and interactions
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
In order to better understand how this process happens, let's look at the Windows logon process.
To better understand how this process happens, let's look at the Windows logon process.
### Logon process
@ -40,17 +42,17 @@ By default, standard users and administrators access resources and run apps in t
When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
### The UAC User Experience
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 or Windows 11 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt.
**The consent and credential prompts**
With UAC enabled, Windows 10 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
**The consent prompt**
@ -68,12 +70,12 @@ The following is an example of the UAC credential prompt.
**UAC elevation prompts**
The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 10 determines which color elevation prompt to present to the user.
The UAC elevation prompts are color-coded to be app-specific, enabling for immediate identification of an application's potential security risk. When an app attempts to run with an administrator's full access token, Windows 10 or Windows 11 first analyzes the executable file to determine its publisher. Apps are first separated into three categories based on the file's publisher: Windows 10 or Windows 11, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows determines which color elevation prompt to present to the user.
The elevation prompt color-coding is as follows:
- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
- Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item.
- Blue background with a blue and gold shield icon: The application is a Windows 10 and Windows 11 administrative app, such as a Control Panel item.
- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
@ -87,7 +89,7 @@ The shield icon on the **Change date and time** button indicates that the proces
**Securing the elevation prompt**
The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10 and Windows 11. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting enabled.
When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks **Yes** or **No**, the desktop switches back to the user desktop.
@ -281,7 +283,7 @@ The slider will never turn UAC completely off. If you set it to <b>Never notify<
Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
Windows 10 includes file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. When an administrative apps that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.
Most app tasks operate properly by using virtualization features. Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. App developers should modify their apps to be compliant as soon as possible, rather than relying on file, folder, and registry virtualization.
@ -301,7 +303,7 @@ All UAC-compliant apps should have a requested execution level added to the appl
### Installer detection technology
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 also heuristically detects updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.
Installer detection only applies to:

5
windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -1,5 +1,5 @@
---
title: User Account Control Group Policy and registry key settings (Windows 10)
title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: w10
ms.mktglfcycl: deploy
@ -21,7 +21,8 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows Server 2016
- Windows 11
- Windows Server 2016 and above
## Group Policy settings
There are 10 Group Policy settings that can be configured for User Account Control (UAC). The table lists the default for each of the policy settings, and the following sections explain the different UAC policy settings and provide recommendations. These policy settings are located in **Security Settings\\Local Policies\\Security Options** in the Local Security Policy snap-in. For more information about each of the Group Policy settings, see the Group Policy description. For information about the registry key settings, see [Registry key settings](#registry-key-settings).

7
windows/security/identity-protection/user-account-control/user-account-control-overview.md
View File

@ -1,5 +1,5 @@
---
title: User Account Control (Windows 10)
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
ms.reviewer:
@ -14,14 +14,15 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.date: 07/27/2017
ms.date: 09/24/2011
---
# User Account Control
**Applies to**
- Windows 10
- Windows Server 2016
- Windows 11
- Windows Server 2016 and above
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.

7
windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
View File

@ -1,5 +1,5 @@
---
title: User Account Control security policy settings (Windows 10)
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
ms.reviewer:
@ -14,13 +14,16 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/19/2017
ms.date: 09/24/2021
---
# User Account Control security policy settings
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 and above
You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy.

7
windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -72,7 +72,8 @@ For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f
Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
> **Note:**  Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
> [!NOTE]
> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
 
### Default BCD validation profile
@ -109,7 +110,9 @@ The following table contains the default BCD validation profile used by BitLocke
### Full list of friendly names for ignored BCD settings
This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLockerprotected operating system drive to be unlocked.
> **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
> [!NOTE]
> Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
| Hex Value | Prefix | Friendly Name |
| - | - | - |

9
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -190,8 +190,8 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Name</strong></p></td>
<td align="left"><p><strong>Parameters</strong></p></td>
<td align="left"><p>Name</p></td>
<td align="left"><p>Parameters</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
@ -388,8 +388,9 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
> [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
>
> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
> [!TIP]
> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:

2
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -69,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives:

34
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -64,7 +64,8 @@ manage-bde protectors -add C: -startupkey E:
manage-bde -on C:
```
>**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
> [!NOTE]
> After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
@ -102,7 +103,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
>**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
> [!TIP]
> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
@ -110,7 +112,8 @@ The Repair-bde command-line tool is intended for use when the operating system d
- Windows does not start, or you cannot start the BitLocker recovery console.
- You do not have a copy of the data that is contained on the encrypted drive.
>**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
> [!NOTE]
> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
The following limitations exist for Repair-bde:
@ -130,8 +133,8 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><b>Name</b></p></td>
<td align="left"><p><b>Parameters</b></p></td>
<td align="left"><p>Name</p></td>
<td align="left"><p>Parameters</p></td>
</tr>
<tr class="even">
<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
@ -251,10 +254,13 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
</table>
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLockerVolume</code> cmdlet.
The <code>Get-BitLockerVolume</code> cmdlet output gives information on the volume type, protectors, protection status, and other details.
>**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
> [!TIP]
> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl`
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
@ -274,7 +280,8 @@ By using this information, you can then remove the key protector for a specific
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
>**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
> [!NOTE]
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
@ -302,11 +309,13 @@ $pw = Read-Host -AsSecureString
<user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
### Using an AD Account or Group protector in Windows PowerShell
The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
>**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
> [!WARNING]
> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
@ -316,13 +325,15 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
>**Note:**  Use of this command requires the RSAT-AD-PowerShell feature.
> [!NOTE]
> Use of this command requires the RSAT-AD-PowerShell feature.
```powershell
get-aduser -filter {samaccountname -eq "administrator"}
```
>**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
> [!TIP]
> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
@ -330,7 +341,8 @@ The following example adds an **ADAccountOrGroup** protector to the previously e
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
```
>**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
> [!NOTE]
> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
## More information

11
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -41,6 +41,7 @@ This issue may be caused by settings that are controlled by Group Policy Objects
To resolve this issue, follow these steps:
1. Start Registry Editor, and navigate to the following subkey:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
1. Delete the following entries:
@ -55,9 +56,13 @@ To resolve this issue, follow these steps:
You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
1. Follow the instructions on the page to enter your password.
1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
1. The **Starting encryption** page displays the message "Access is denied."
You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
@ -72,13 +77,13 @@ To verify that this issue has occurred, follow these steps:
1. At the command prompt, enter the following command:
```cmd
```console
C:\>sc sdshow bdesvc
```
The output of this command resembles the following:
> D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
> `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
@ -95,7 +100,7 @@ To verify that this issue has occurred, follow these steps:
1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
```ps
```powershell
sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
```

4
windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
View File

@ -158,7 +158,7 @@ For more information and recommendations about backing up virtualized domain con
When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
```
```console
\# for hex 0xc0210000 / decimal -1071579136
STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
\# This volume is locked by BitLocker Drive Encryption.
@ -166,7 +166,7 @@ When the VSS NTDS writer requests access to the encrypted drive, the Local Secur
The operation produces the following call stack:
```
```console
\# Child-SP RetAddr Call Site
00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]

26
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -55,7 +55,8 @@ To install the tool, follow these steps:
To use TBSLogGenerator, follow these steps:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
This folder contains the TBSLogGenerator.exe file.
@ -63,9 +64,11 @@ To use TBSLogGenerator, follow these steps:
![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png)
1. Run the following command:
```cmd
```console
TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
```
where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the file to be decoded
@ -74,7 +77,7 @@ To use TBSLogGenerator, follow these steps:
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
```cmd
```console
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
@ -84,12 +87,12 @@ To use TBSLogGenerator, follow these steps:
![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)
The content of this text file resembles the following.
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file.
The content of this text file resembles the following.
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
## Use PCPTool to decode Measured Boot logs
@ -102,7 +105,8 @@ PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.micros
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
To decode a log, run the following command:
```cmd
```console
PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
```
@ -114,4 +118,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg)
:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::

26
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -20,7 +20,7 @@ ms.custom: bitlocker
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png)
:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
@ -104,10 +104,11 @@ The procedures described in this section depend on the default disk partitions t
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
```
```console
diskpart
list volume
```
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
@ -118,16 +119,17 @@ If the status of any of the volumes is not healthy or if the recovery partition
To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
```cmd
```console
reagentc /info
```
The output of this command resembles the following.
![Output of the reagentc /info command.](./images/4509193-en-1.png)
If the **Windows RE status** is not **Enabled**, run the following command to enable it:
```cmd
```console
reagentc /enable
```
@ -135,13 +137,13 @@ reagentc /enable
If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
```cmd
```console
bcdedit /enum all
```
The output of this command resembles the following.
![Output of the bcdedit /enum all command.](./images/4509196-en-1.png)
:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
@ -162,9 +164,13 @@ The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent B
To verify the BIOS mode, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@ -186,7 +192,7 @@ You can resolve this issue by verifying the PCR validation profile of the TPM an
To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
```cmd
```console
Manage-bde -protectors -get %systemdrive%
```
@ -203,16 +209,22 @@ If **PCR Validation Profile** doesn't include **7** (for example, the values inc
To verify the Secure Boot state, use the System Information app. To do this, follow these steps:
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
>
> ```ps
> PS C:\> Confirm-SecureBootUEFI
> ```
>
> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
>
> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False."

83
windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
View File

@ -49,7 +49,7 @@ You can use either of the following methods to manually back up or synchronize a
For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
```cmd
```console
manage-bde -protectors -adbackup C:
```
@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a
You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command:
```cmd
```console
Manage-bde -forcerecovery
```
@ -82,14 +82,21 @@ This behavior is by design for all versions of Windows.
To resolve the restart loop, follow these steps:
1. On the BitLocker Recovery screen, select **Skip this drive**.
1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
1. In the Command Prompt window, run the following commands :
```cmd
1. In the Command Prompt window, run the following commands:
```console
manage-bde unlock C: -rp <48-digit BitLocker recovery password>
manage-bde -protectors -disable C:
```
1. Close the Command Prompt window.
1. Shut down the device.
1. Start the device. Windows should start as usual.
## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
@ -115,7 +122,7 @@ Devices that support Connected Standby (also known as *InstantGO* or *Always On,
To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command:
```cmd
```console
manage-bde.exe -protectors -get <OSDriveLetter>:
```
@ -130,21 +137,34 @@ If you have installed a TPM or UEFI update and your device cannot start, even if
To do this, follow these steps:
1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
1. When you are prompted, select the following items:
1. Your operating system language.
1. Your keyboard layout.
1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands:
```cmd
```console
manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
manage-bde -protectors -disable <DriveLetter>:
```
In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
> [!NOTE]
> For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
1. Restart the computer.
1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
> [!NOTE]
@ -155,11 +175,15 @@ To do this, follow these steps:
To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
1. At the command prompt, run the following command:
```cmd
```console
manage-bde -unlock -recoverypassword <Password> <DriveLetter>:
```
In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.
1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.
> [!NOTE]
> For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
@ -172,30 +196,42 @@ To prevent this issue from recurring, we strongly recommend that you restore t
To enable Secure Boot on a Surface device, follow these steps:
1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this command, <*DriveLetter*> is the letter that is assigned to your drive.
1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
1. Restart the device.
1. Open an elevated PowerShell window, and run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
To reset the PCR settings on the TPM, follow these steps:
1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md).
1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
where <*DriveLetter*> is the letter assigned to your drive.
1. Run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
@ -209,13 +245,19 @@ You can avoid this scenario when you install updates to system firmware or TPM f
To suspend BitLocker while you install TPM or UEFI firmware updates:
1. Open an elevated Windows PowerShell window, and run the following cmdlet:
```ps
```powershell
Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0
```
In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
1. Install the Surface device driver and firmware updates.
1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:
```ps
```powershell
Resume-BitLocker -MountPoint "<DriveLetter>:"
```
@ -230,22 +272,31 @@ You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, v
If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
1. In the Command Prompt window, run the following commands:
```cmd
```console
Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by - in 6 digit group>
Manage-bde -protectors -disable c:
exit
```
These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
> [!NOTE]
> These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
1. Select **Continue**. Windows should start.
1. After Windows has started, open an elevated Command Prompt window and run the following command:
```cmd
```console
Manage-bde -protectors -enable c:
```
@ -254,7 +305,7 @@ If your device is already in this state, you can successfully start Windows afte
To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
```cmd
```console
Manage-bde -protectors -disable c: -rc 1
```

25
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -1,5 +1,5 @@
---
title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10)
title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows)
description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 09/16/2021
ms.date: 09/20/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -20,6 +20,7 @@ ms.technology: mde
**Applies to:**
- Windows 10
- Windows 11
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
@ -52,13 +53,13 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. <p>**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.<p>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** event logs aren't collected from your Application Guard container.|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher<p>Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. <p>**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.<p>**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher<p>Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** event logs aren't collected from your Application Guard container.|

14
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -1,5 +1,5 @@
---
title: Enable hardware-based isolation for Microsoft Edge (Windows 10)
title: Enable hardware-based isolation for Microsoft Edge (Windows)
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: m365-security
ms.mktglfcycl: manage
@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 10/21/2020
ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -18,7 +18,9 @@ ms.technology: mde
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
- - Windows 10
- Windows 10
- Windows 11
## Review system requirements
@ -34,6 +36,7 @@ Before you can install and use Microsoft Defender Application Guard, you must de
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Pro edition, version 1803
- Windows 11
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
@ -41,6 +44,7 @@ Employees can use hardware-isolated browsing sessions without any administrator
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 11
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
@ -66,7 +70,7 @@ Application Guard functionality is turned off by default. However, you can quick
>[!NOTE]
>Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
1. Click the **Search** or **Cortana** icon in the Windows 10 or Windows 11 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
@ -120,4 +124,4 @@ Application Guard functionality is turned off by default. However, you can quick
1. Click **Save**.
After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.

6
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: martyav
ms.author: v-maave
ms.date: 06/12/2020
ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -20,10 +20,11 @@ ms.technology: mde
**Applies to:**
- Windows 10
- Windows 11
[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
> [!TIP]
> Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
@ -37,6 +38,7 @@ Microsoft Defender Application Guard Extension works with the following editions
- Windows 10 Professional
- Windows 10 Enterprise
- Windows 10 Education
- Windows 11
Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.

8
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -1,5 +1,5 @@
---
title: Microsoft Defender Application Guard (Windows 10)
title: Microsoft Defender Application Guard (Windows 10 or Windows 11)
description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
ms.prod: m365-security
ms.mktglfcycl: manage
@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 01/27/2021
ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -18,7 +18,9 @@ ms.technology: mde
# Microsoft Defender Application Guard overview
**Applies to**
- Windows 10
- Windows 11
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
@ -54,4 +56,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|

6
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 07/01/2021
ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -18,7 +18,9 @@ ms.technology: mde
# System requirements for Microsoft Defender Application Guard
**Applies to**
- Windows 10
- Windows 11
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
@ -43,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. <br/> Windows 11 |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |

14
windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
View File

@ -1,5 +1,5 @@
---
title: Testing scenarios with Microsoft Defender Application Guard (Windows 10)
title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: m365-security
ms.mktglfcycl: manage
@ -10,7 +10,7 @@ author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.date: 09/14/2020
ms.date: 09/09/2021
ms.custom: asr
ms.technology: mde
---
@ -20,6 +20,7 @@ ms.technology: mde
**Applies to:**
- Windows 10
- Windows 11
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
@ -50,7 +51,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
### Install, set up, and turn on Application Guard
Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](./install-md-app-guard.md#install-application-guard).
@ -111,6 +112,7 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
- Windows 11
#### Copy and paste options
@ -169,7 +171,7 @@ You have the option to change each of these settings to work with your enterpris
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
> If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
> If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
> <!--- Inline HTML is used on the next several lines so that the ordinal numbers will be rendered correctly; Markdown would otherwise try to render them as letters (a, b, c...) because they would be treated as a nested list --->
@ -179,6 +181,7 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1803
- Windows 10 Professional edition, version 1803
- Windows 11
#### Download options
@ -210,12 +213,13 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterprise edition, version 1809
- Windows 10 Professional edition, version 1809
- Windows 11
#### File trust options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting.
2. Click **Enabled**, set **Options** to 2, and click **OK**.
2. Click **Enabled**, set **Options** to **2**, and click **OK**.
![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)