From 67609e87f85320666b2379b76a4119745f3400cb Mon Sep 17 00:00:00 2001 From: theznerd Date: Wed, 28 Mar 2018 23:51:47 -0600 Subject: [PATCH 01/29] Add MVC 4.0 requirement to Administration and Monitoring Server While the actual role itself likely does not rely on MVC 4.0, the prerequisite check fails when this component is not installed even if you're not installing the Self Service portal. --- ...-alone-and-configuration-manager-integration-topologies.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md index 79fac92aba..b5cd982105 100644 --- a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md +++ b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md @@ -286,6 +286,10 @@ The following table lists the installation prerequisites for the MBAM Administra +

ASP.NET MVC 4.0

+

[ASP.NET MVC 4 download](https://go.microsoft.com/fwlink/?LinkId=392271)

+ +

Service Principal Name (SPN)

The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](http://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.

From dbb6b40b049ca2e93441dedacb9af84420e410d9 Mon Sep 17 00:00:00 2001 From: SergioCalderonR Date: Thu, 29 Mar 2018 11:25:25 -0500 Subject: [PATCH 02/29] Update some names, sample commands and links I have changed Windows Defender Device Guard to Device Guard in the local GPO, updated the sample command for New-CIPolicy and some broken links to the old TechNet to the new Docs. --- ...loy-windows-defender-application-control.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md index be8ccb2590..87e30aef2a 100644 --- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md @@ -797,9 +797,9 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` -2. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a new WDAC policy by scanning the system for installed applications: +2. Use [New-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications: - ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` + ` New-CIPolicy -Level FilePublisher -FilePath $InitialCIPolicy –UserPEs -FallBack Hash 3> CIPolicyLog.txt ` > [!Note] @@ -811,7 +811,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. -3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the WDAC policy to a binary format: +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the WDAC policy to a binary format: ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` @@ -841,7 +841,7 @@ When WDAC policies are run in audit mode, it allows administrators to discover a > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. -3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. +3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. > [!Note] @@ -887,9 +887,9 @@ Use the following procedure after you have been running a computer with a WDAC p ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` -3. Use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. +3. Use [New-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. - ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` + ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3 -FallBack Hash > CIPolicylog.txt` > [!Note] > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. @@ -959,7 +959,7 @@ To merge two WDAC policies, complete the following steps in an elevated Windows ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy` -3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the merged WDAC policy to binary format: +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the merged WDAC policy to binary format: ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin ` @@ -1004,7 +1004,7 @@ Every WDAC policy is created with audit mode enabled. After you have successfull > [!Note] > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy. -5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new WDAC policy to binary format: +5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the new WDAC policy to binary format: ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin` @@ -1064,7 +1064,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` -7. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the policy to binary format: +7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the policy to binary format: ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` From 1daf1317ef19b94b140a34695777a97664819853 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 3 Apr 2018 15:40:50 -0700 Subject: [PATCH 03/29] initial import --- .../update/windows-update-sources.md | 159 ++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 windows/deployment/update/windows-update-sources.md diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md new file mode 100644 index 0000000000..1f8e758809 --- /dev/null +++ b/windows/deployment/update/windows-update-sources.md @@ -0,0 +1,159 @@ + +--- +title: Determining the Windows Update Service source +description: Determine the source that Windows Update service is currently using. +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: high +ms.author: kaushika +ms.date: 04/03/2018 +--- + +# Determining the Windows Update Service source + +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:  + +1. Start Windows PowerShell as an administrator +2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. +3. Run `\$MUSM.Services`. The resulting output should be similar to the following: + +``` +Name : Microsoft Update +ContentValidationCert : {} +ExpirationDate : +IsManaged : False +IsRegisteredWithAU : True +IssueDate : 01-Jan-01 12:00:00 AM +OffersWindowsUpdates : True +RedirectUrls : System.__ComObject +ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d +IsScanPackageService : False +CanRegisterWithAU : True +ServiceUrl : https://fe2.update.microsoft.com/v6/ +SetupPrefix : mu +IsDefaultAUService : False + +Name : DCat Flighting Prod +ContentValidationCert : {} +ExpirationDate : +IsManaged : False +IsRegisteredWithAU : False +IssueDate : 01-Jan-01 12:00:00 AM +OffersWindowsUpdates : False +RedirectUrls : System.__ComObject +ServiceID : 8b24b027-1dee-babb-9a95-3517dfb9c552 +IsScanPackageService : False +CanRegisterWithAU : False +ServiceUrl : https://fe3.delivery.mp.microsoft.com/ +SetupPrefix : wu +IsDefaultAUService : False + +Name : Windows Store (DCat Prod) +ContentValidationCert : {} +ExpirationDate : +IsManaged : False +IsRegisteredWithAU : False +IssueDate : 01-Jan-01 12:00:00 AM +OffersWindowsUpdates : False +RedirectUrls : System.__ComObject +ServiceID : 855e8a7c-ecb4-4ca3-b045-1dfa50104289 +IsScanPackageService : False +CanRegisterWithAU : True +ServiceUrl : https://fe3.delivery.mp.microsoft.com/ +SetupPrefix : ws +IsDefaultAUService : False + +Name : Windows Server Update Service +ContentValidationCert : {} +ExpirationDate : 18-Jun-54 9:21:00 PM +IsManaged : True +IsRegisteredWithAU : True +IssueDate : 01-Jan-03 12:00:00 AM +OffersWindowsUpdates : True +RedirectUrls : System.__ComObject +ServiceID : 3da21691-e39d-4da6-8a4b-b43877bcb1b7 +IsScanPackageService : False +CanRegisterWithAU : True +ServiceUrl : +SetupPrefix : +IsDefaultAUService : True + +Name : Windows Update +ContentValidationCert : {} +ExpirationDate : +IsManaged : False +IsRegisteredWithAU : False +IssueDate : 01-Jan-01 12:00:00 AM +OffersWindowsUpdates : True +RedirectUrls : System.__ComObject +ServiceID : 9482f4b4-e343-43b6-b170-9a65bc822c77 +IsScanPackageService : False +CanRegisterWithAU : True +ServiceUrl : https://fe2.update.microsoft.com/v6/ +SetupPrefix : wu +IsDefaultAUService : False +``` + + +4. Check the category **Name** and **OffersWindowsUpdates**:  + +Name: **Microsoft Update** + +Indicates the source against which we will are checking the Client capability. Microsoft Updates indicates, updates for other Microsoft Products checkbox. + +OffersWindowsUpdates: **True** + +Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) + +--- + +Name: **DCat Flighting Prod** + +The update source is the Windows Insider Program. + +OffersWindowsUpdates: **False** + +Indicates that the client will not receive or is not configured to receive these updates. + +--- + +Name: **Windows Store (DCat Prod)** + +The update source is Insider Updates for Store Apps. + +OffersWindowsUpdates: **False** + +Indicates that the client will not receive or is not configured to receive these updates. + +--- + +Name: **Windows Server Update Service** + +The source is a Windows Server Updates Services server. + +OffersWindowsUpdates: **True** + +The client is configured to receive updates from WSUS + +--- + +Name: **Windows Update** + +The source is Windows Update. + +OffersWindowsUpdates: **True** + +The client is configured to receive updates from Windows Update Online + +--- +  + +See also: + +[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760) + +[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) + +[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) From 0d915caeb085c71c3b3bcb63989827b2ab83d3c9 Mon Sep 17 00:00:00 2001 From: SergioCalderonR Date: Wed, 4 Apr 2018 08:54:23 -0500 Subject: [PATCH 04/29] Removed en-us and updated some other links --- ...oy-windows-defender-application-control.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md index 87e30aef2a..a184547f2b 100644 --- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md @@ -797,7 +797,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` -2. Use [New-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications: +2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications: ` New-CIPolicy -Level FilePublisher -FilePath $InitialCIPolicy –UserPEs -FallBack Hash 3> CIPolicyLog.txt ` @@ -811,7 +811,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. -3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the WDAC policy to a binary format: +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the WDAC policy to a binary format: ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` @@ -887,7 +887,7 @@ Use the following procedure after you have been running a computer with a WDAC p ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` -3. Use [New-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. +3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3 -FallBack Hash > CIPolicylog.txt` @@ -955,11 +955,11 @@ To merge two WDAC policies, complete the following steps in an elevated Windows > [!Note] > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly. -2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new WDAC policy: +2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy?view=win10-ps) to merge two policies and create a new WDAC policy: ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy` -3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the merged WDAC policy to binary format: +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the merged WDAC policy to binary format: ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin ` @@ -997,14 +997,14 @@ Every WDAC policy is created with audit mode enabled. After you have successfull ` copy $InitialCIPolicy $EnforcedCIPolicy` -4. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to delete the audit mode rule option: +4. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to delete the audit mode rule option: ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` > [!Note] > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy. -5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the new WDAC policy to binary format: +5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the new WDAC policy to binary format: ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin` @@ -1052,7 +1052,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` cd $env:USERPROFILE\Desktop ` -5. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add an update signer certificate to the WDAC policy: +5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule?view=win10-ps) to add an update signer certificate to the WDAC policy: ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` @@ -1060,11 +1060,11 @@ If you do not have a code signing certificate, see the [Optional: Create a code > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see the [Disable signed Windows Defender Application Control policies within Windows](#disable-signed-windows-defender-application-control-policies-within-windows) section. -6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option: +6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to remove the unsigned policy rule option: ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` -7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the policy to binary format: +7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the policy to binary format: ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` From cf790ba4f49bec31670a20d7caa956e7199da269 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 4 Apr 2018 10:50:41 -0700 Subject: [PATCH 05/29] trying to fix step numbering --- windows/deployment/update/windows-update-sources.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index 1f8e758809..d4b5967b12 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -17,10 +17,9 @@ Windows 10 devices can receive updates from a variety of sources, including Wind 1. Start Windows PowerShell as an administrator 2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. -3. Run `\$MUSM.Services`. The resulting output should be similar to the following: - -``` -Name : Microsoft Update +3. Run `\$MUSM.Services`. The resulting output should be similar to the following: + ``` + Name : Microsoft Update ContentValidationCert : {} ExpirationDate : IsManaged : False From c820a727b01328beeafb8d8de04a01ee91c882a1 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 4 Apr 2018 13:35:56 -0700 Subject: [PATCH 06/29] trying again with the steps --- windows/deployment/update/windows-update-sources.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index d4b5967b12..d51999abef 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -1,4 +1,3 @@ - --- title: Determining the Windows Update Service source description: Determine the source that Windows Update service is currently using. @@ -18,6 +17,7 @@ Windows 10 devices can receive updates from a variety of sources, including Wind 1. Start Windows PowerShell as an administrator 2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. 3. Run `\$MUSM.Services`. The resulting output should be similar to the following: + ``` Name : Microsoft Update ContentValidationCert : {} From d23d32ad1232a5d2e3c01cf7f1788d4fe1bceb87 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 4 Apr 2018 14:28:55 -0700 Subject: [PATCH 07/29] still not right --- windows/deployment/update/windows-update-sources.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index d51999abef..9e8a789f4f 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -18,8 +18,8 @@ Windows 10 devices can receive updates from a variety of sources, including Wind 2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. 3. Run `\$MUSM.Services`. The resulting output should be similar to the following: - ``` - Name : Microsoft Update +``` +Name : Microsoft Update ContentValidationCert : {} ExpirationDate : IsManaged : False From 20ea1fd5673988b4d11d0248d58156a7005f8ed6 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 4 Apr 2018 15:23:38 -0700 Subject: [PATCH 08/29] applying Liza's fix --- .../update/windows-update-sources.md | 198 +++++++++--------- 1 file changed, 99 insertions(+), 99 deletions(-) diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index 9e8a789f4f..5019699f81 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -17,136 +17,136 @@ Windows 10 devices can receive updates from a variety of sources, including Wind 1. Start Windows PowerShell as an administrator 2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. 3. Run `\$MUSM.Services`. The resulting output should be similar to the following: + + ``` + Name : Microsoft Update + ContentValidationCert : {} + ExpirationDate : + IsManaged : False + IsRegisteredWithAU : True + IssueDate : 01-Jan-01 12:00:00 AM + OffersWindowsUpdates : True + RedirectUrls : System.__ComObject + ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d + IsScanPackageService : False + CanRegisterWithAU : True + ServiceUrl : https://fe2.update.microsoft.com/v6/ + SetupPrefix : mu + IsDefaultAUService : False -``` -Name : Microsoft Update -ContentValidationCert : {} -ExpirationDate : -IsManaged : False -IsRegisteredWithAU : True -IssueDate : 01-Jan-01 12:00:00 AM -OffersWindowsUpdates : True -RedirectUrls : System.__ComObject -ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d -IsScanPackageService : False -CanRegisterWithAU : True -ServiceUrl : https://fe2.update.microsoft.com/v6/ -SetupPrefix : mu -IsDefaultAUService : False + Name : DCat Flighting Prod + ContentValidationCert : {} + ExpirationDate : + IsManaged : False + IsRegisteredWithAU : False + IssueDate : 01-Jan-01 12:00:00 AM + OffersWindowsUpdates : False + RedirectUrls : System.__ComObject + ServiceID : 8b24b027-1dee-babb-9a95-3517dfb9c552 + IsScanPackageService : False + CanRegisterWithAU : False + ServiceUrl : https://fe3.delivery.mp.microsoft.com/ + SetupPrefix : wu + IsDefaultAUService : False -Name : DCat Flighting Prod -ContentValidationCert : {} -ExpirationDate : -IsManaged : False -IsRegisteredWithAU : False -IssueDate : 01-Jan-01 12:00:00 AM -OffersWindowsUpdates : False -RedirectUrls : System.__ComObject -ServiceID : 8b24b027-1dee-babb-9a95-3517dfb9c552 -IsScanPackageService : False -CanRegisterWithAU : False -ServiceUrl : https://fe3.delivery.mp.microsoft.com/ -SetupPrefix : wu -IsDefaultAUService : False + Name : Windows Store (DCat Prod) + ContentValidationCert : {} + ExpirationDate : + IsManaged : False + IsRegisteredWithAU : False + IssueDate : 01-Jan-01 12:00:00 AM + OffersWindowsUpdates : False + RedirectUrls : System.__ComObject + ServiceID : 855e8a7c-ecb4-4ca3-b045-1dfa50104289 + IsScanPackageService : False + CanRegisterWithAU : True + ServiceUrl : https://fe3.delivery.mp.microsoft.com/ + SetupPrefix : ws + IsDefaultAUService : False -Name : Windows Store (DCat Prod) -ContentValidationCert : {} -ExpirationDate : -IsManaged : False -IsRegisteredWithAU : False -IssueDate : 01-Jan-01 12:00:00 AM -OffersWindowsUpdates : False -RedirectUrls : System.__ComObject -ServiceID : 855e8a7c-ecb4-4ca3-b045-1dfa50104289 -IsScanPackageService : False -CanRegisterWithAU : True -ServiceUrl : https://fe3.delivery.mp.microsoft.com/ -SetupPrefix : ws -IsDefaultAUService : False - -Name : Windows Server Update Service -ContentValidationCert : {} -ExpirationDate : 18-Jun-54 9:21:00 PM -IsManaged : True -IsRegisteredWithAU : True -IssueDate : 01-Jan-03 12:00:00 AM -OffersWindowsUpdates : True -RedirectUrls : System.__ComObject -ServiceID : 3da21691-e39d-4da6-8a4b-b43877bcb1b7 -IsScanPackageService : False -CanRegisterWithAU : True -ServiceUrl : -SetupPrefix : -IsDefaultAUService : True - -Name : Windows Update -ContentValidationCert : {} -ExpirationDate : -IsManaged : False -IsRegisteredWithAU : False -IssueDate : 01-Jan-01 12:00:00 AM -OffersWindowsUpdates : True -RedirectUrls : System.__ComObject -ServiceID : 9482f4b4-e343-43b6-b170-9a65bc822c77 -IsScanPackageService : False -CanRegisterWithAU : True -ServiceUrl : https://fe2.update.microsoft.com/v6/ -SetupPrefix : wu -IsDefaultAUService : False -``` + Name : Windows Server Update Service + ContentValidationCert : {} + ExpirationDate : 18-Jun-54 9:21:00 PM + IsManaged : True + IsRegisteredWithAU : True + IssueDate : 01-Jan-03 12:00:00 AM + OffersWindowsUpdates : True + RedirectUrls : System.__ComObject + ServiceID : 3da21691-e39d-4da6-8a4b-b43877bcb1b7 + IsScanPackageService : False + CanRegisterWithAU : True + ServiceUrl : + SetupPrefix : + IsDefaultAUService : True + Name : Windows Update + ContentValidationCert : {} + ExpirationDate : + IsManaged : False + IsRegisteredWithAU : False + IssueDate : 01-Jan-01 12:00:00 AM + OffersWindowsUpdates : True + RedirectUrls : System.__ComObject + ServiceID : 9482f4b4-e343-43b6-b170-9a65bc822c77 + IsScanPackageService : False + CanRegisterWithAU : True + ServiceUrl : https://fe2.update.microsoft.com/v6/ + SetupPrefix : wu + IsDefaultAUService : False + ``` 4. Check the category **Name** and **OffersWindowsUpdates**:  -Name: **Microsoft Update** + Name: **Microsoft Update** -Indicates the source against which we will are checking the Client capability. Microsoft Updates indicates, updates for other Microsoft Products checkbox. + Indicates the source against which we will are checking the Client capability. Microsoft Updates indicates, updates for other Microsoft Products checkbox. -OffersWindowsUpdates: **True** + OffersWindowsUpdates: **True** -Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) + Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) ---- + --- -Name: **DCat Flighting Prod** + Name: **DCat Flighting Prod** -The update source is the Windows Insider Program. + The update source is the Windows Insider Program. -OffersWindowsUpdates: **False** + OffersWindowsUpdates: **False** -Indicates that the client will not receive or is not configured to receive these updates. + Indicates that the client will not receive or is not configured to receive these updates. ---- + --- -Name: **Windows Store (DCat Prod)** + Name: **Windows Store (DCat Prod)** -The update source is Insider Updates for Store Apps. + The update source is Insider Updates for Store Apps. -OffersWindowsUpdates: **False** + OffersWindowsUpdates: **False** -Indicates that the client will not receive or is not configured to receive these updates. + Indicates that the client will not receive or is not configured to receive these updates. ---- + --- -Name: **Windows Server Update Service** + Name: **Windows Server Update Service** -The source is a Windows Server Updates Services server. + The source is a Windows Server Updates Services server. -OffersWindowsUpdates: **True** + OffersWindowsUpdates: **True** -The client is configured to receive updates from WSUS + The client is configured to receive updates from WSUS ---- + --- -Name: **Windows Update** + Name: **Windows Update** -The source is Windows Update. + The source is Windows Update. -OffersWindowsUpdates: **True** + OffersWindowsUpdates: **True** -The client is configured to receive updates from Windows Update Online + The client is configured to receive updates from Windows Update Online ---- + --- +    See also: From 1ce86f7f963e5519eb291a95fc94dff362f83db6 Mon Sep 17 00:00:00 2001 From: Adam Wilson Date: Wed, 4 Apr 2018 16:09:46 -0700 Subject: [PATCH 09/29] Update Cortana Policy Page There was some confusion about how to enable SafeSearch without using Search/SafeSearchPermissions. Added extra detail for clarity. --- .../cortana-at-work/cortana-at-work-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index f411b5bc5e..7e48ef64a7 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -26,7 +26,7 @@ ms.date: 10/05/2017 |None|System/AllowLocation|Specifies whether to allow app access to the Location service.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).| |None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

Use this setting if you only want to support Azure AD in your organization.| |Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. | |User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.| |Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.

**In Windows 10 Pro edition**
This setting can’t be managed.

**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).| |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.

**Important**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.| From 4f0fd0da495a87f42610d114ad1bc881eee2cd59 Mon Sep 17 00:00:00 2001 From: Adam Wilson Date: Wed, 4 Apr 2018 16:15:52 -0700 Subject: [PATCH 10/29] Clarify SafeSearch Options There was some confusion over the safe search options for desktop users. Added a note on what they should use. --- windows/client-management/mdm/policy-csp-search.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index dfdf82afa1..12b9c8386e 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -834,7 +834,7 @@ The following list shows the supported values: > [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. Desktop users should use Search/DoNotUseWebResults. Specifies what level of safe search (filtering adult content) is required. From 9fefcde76e029f78896ab553bbf679ff0e8bd2b9 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Wed, 4 Apr 2018 19:26:50 -0700 Subject: [PATCH 11/29] addressed the group policies missing from content --- browsers/edge/available-policies.md | 830 +++++++++++------- .../credential-guard-requirements.md | 2 +- 2 files changed, 532 insertions(+), 300 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 016f1295f1..e564c939df 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -23,7 +23,7 @@ By using Group Policy and Intune, you can set up a policy setting once, and then > [!NOTE] > For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). -## Group Policy settings + Microsoft Edge works with the following Group Policy settings to help you manage your company's web browser configurations. The Group Policy settings are found in the Group Policy Editor in the following location: `Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\` @@ -32,321 +32,544 @@ Microsoft Edge works with the following Group Policy settings to help you manage Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations: --> -### Allow Address bar drop-down list suggestions ->*Supporteded versions: Windows 10, version 1703* +## Allow Address bar drop-down list suggestions +>*Supporteded versions: Windows 10, version 1703 or later* + + +This policy settings specifies whether to allow the address bar drop-down functionality in Microsoft Edge. By default, this setting is enabled. We recommend that you disable this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. If disabled, employees do not see the address bar drop-down functionality and also disables the user-defined settting "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the _Configure search suggestions in Address bar_ or _AllowSearchSuggestionsinAddressBar_ setting. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | +|Supported devices |Desktop | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown | +|Data type | Integer | +|Allowed values |

  • **0** - Not Allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
  • **1 (default)** - Allowed. Address bar drop-down is enabled.
| -This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. -| If you... | Then... | -| --- | --- | -| Enable (default) | Employees can see the Address bar drop-down functionality in Microsoft Edge. | -| Disable | Employees do not see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type."

Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. | -### Allow Adobe Flash +## Allow Adobe Flash >*Supporteded version: Windows 10* -This policy setting lets you decide whether employees can run Adobe Flash on Microsoft Edge. -| If you… | Then… | -| --- | --- | -| Enable or don’t configure (default) | Employees can use Adobe Flash. | -| Disable | Employees cannot use Adobe Flash. | -### Allow clearing browsing data on exit +This policy setting specifies whether Adobe Flash can run in Microsoft Edge. By default, this setting is enabled or not configured, which allows employees to use Adobe Flash. If disabled, employees cannot use Adobe Flash. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | +|Supported devices |Desktop | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill | +|Data type | Integer | +|Allowed values |

  • **0** - Employees cannot use Microsoft Edge.
  • **1 (default)** - Employees can use Microsoft Edge.
| + +## Allow clearing browsing data on exit >*Supporteded versions: Windows 10, version 1703* -This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. -| If you… | Then… | -| --- | --- | -| Enable | Clear browsing history on exit is turned on. | -| Disable or don’t configure (default) | Employees can turn on and configure the Clear browsing data option under Settings. | -### Allow Developer Tools +This policy setting specifies whether to clear browsing data on exiting Microsoft Edge. By default, this setting is disabled or not configured, which means employees can turn on and configure Clear browsing data option under Settings. If enabled, browsing history on exit is turned on. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | +|Supported devices |Desktop | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
  • **1** - Browsing data is cleared on exit.
| + + +## Allow Cortana +>*Supported versions: Windows 10, version 1607 or later* + +This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows employees to use Cortana on their devices. If disabled (not allowed), employees cannot use Cortana, but can use search to find items on the device. + +This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows employees to use Cortana on their devices. If disabled (not allowed), employees cannot use Cortana, but can use search to find items on the device. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | +|Supported devices |Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCortana | +|Location |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana | +|Data type | Integer | +|Allowed values |
  • **0** - Not allowed.
  • **1 (default)** - Allowed.
| + +## Allow Developer Tools >*Supporteded versions: Windows 10, version 1511 or later* -This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. -| If you… | Then… | -| --- | --- | -| Enable (default) | F12 Developer Tools are available. | -| Disable | F12 Developer Tools are not available. | +This policy setting specifies whether employees cna use the F12 Developer Tools on Microsoft Edge. By default, this setting is enabled making the F12 Developer Tools availabe to use. If disabled, the F12 Developer Tools are not available. -### Allow Extensions +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools | +|Data type | Integer | +|Allowed values |
  • **0** - Employees cannot use the F12 Developer Tools./li>
  • **1 (default)** - Employees can use the F12 Developer Tools.
| + +## Allow Extensions >*Supporteded versions: Windows 10, version 1607 or later* -This policy setting lets you decide whether employees can use Microsft Edge Extensions. -| If you… | Then… | -| --- | --- | -| Enable | Employees can use Microsoft Edge Extensions. | -| Disable | Employees cannot use Microsoft Edge Extensions. | +This policy setting specifies whether employees can use Edge Extensions. By default, this setting is enabled allowing employees to use extensions. If disabled, employees cannot use extensions. -### Allow InPrivate browsing +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowExtensions | +|Data type | Integer | +|Allowed values |
  • **0** - Employees cannot use Edge Extensions.
  • **1 (default)** - Employees can use Edge Extensions.
| + +## Allow InPrivate browsing >*Supporteded versions: Windows 10, version 1511 or later* -This policy setting lets you decide whether employees can browse using InPrivate website browsing. -| If you… | Then… | -| --- | --- | -| Enable (default) | Employees can use InPrivate website browsing. | -| Disable | Employees cannot use InPrivate website browsing. | +This policy setting specifies whether InPrivate browsing is allowed on corporate networks. By default, this setting is enabled allowing employees to use InPrivate website browsing. If disabled, employees cannot use InPrivate website browsing. -### Allow Microsoft Compatibility List ->*Supporteded versions: Windows 10, version 1607 or later* +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate | +|Data type | Integer | +|Allowed values |
  • **0** - Employees cannot use InPrivate browsing.
  • **1 (default)** - Employees can use InPrivate browsing.
| -This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. -| If you… | Then… | -| --- | --- | -| Enable (default) | Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation . Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it’s in whatever version of IE is necessary for it to appear properly. | -| Disable | Browser navigation does not use the Microsoft Compatibility List. | +## Allow Microsoft Compatibility List +>*Supporteded versions: Windows 10, version 1703 or later* -### Allow search engine customization ->*Supported versions: Windows 10, version 1703* +This policy setting specifies whether to use the Microsoft compatibility list in Microsoft Edge. The list helps websites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and used during browser navigation. The list can be viewed by visiting "about:compat". By default, this setting is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used. -This policy setting lets you decide whether users can change their search engine. Important. You can only use this setting with domain-joined or MDM-enrolled devices. +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList | +|Data type | Integer | +|Allowed values |
  • **0** - Additional search engines are not allowed and the default cannot be changed in the Address bar.
  • **1 (default)** - Additional search engines are allowed and the default can be changed in the Address bar.
| -For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy). +## Allow search engine customization +>*Supported versions: Windows 10, version 1703 or later* -| If you… | Then… | -| --- | --- | -| Enable or don’t configure (default) | Employees can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. | -| Disable | Employees cannot add search engines or change the default used in the Address bar. | +This policy setting allows search engine customization for domain-joined or MDM-enrolled devices only. For example, you can change the default search engine or add a new search engine. By default, this setting is enabled allowing employees to add new search engines and change the default under Settings. If disabled, employees cannot add search enginess or change the default. -### Allow web content on New Tab page +For more information, see [Microsoft browser extension policy](aka.ms/browserpolicy). + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization | +|Data type | Integer | +|Allowed values |
  • **0** - Additional search engines are not allowed and the default cannot be changed in the Address bar.
  • **1 (default)** - Additional search engines are allowed and the default can be changed in the Address bar.
| + +## Allow web content on New Tab page >*Supported versions: Windows 10* -This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees cannot change it. -| If you… | Then… | -| --- | --- | -| Enable | Microsoft Edge opens a new tab with the New Tab page. | -| Disable | Microsoft Edge opens a new tab with a blank page. | -| Do not configure (default) | Employees can choose how new tabs appear. | +This policy setting lets you configure what appears when a New Tab page is opened in Microsoft Edge. By default, this setting is disabled or not configured, which means employees cannot customize their New Tab page. If enabled, employees can customize their New Tab page. -### Configure additional search engines ->*Supported versions: Windows 10, version 1703* + -This policy setting lets you add up to 5 additional search engines, which cannot be removed by your employees but can make a personal default engine. This setting does not set the default search engine. For that, you must use the "Set default search engine" setting. -| If you… | Then… | -| --- | --- | -| Enable | You can add up to 5 additional search engines. For each additional search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:

``

For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. | Disable setting (default) | Any added search engines are removed from the employee’s device. | -| Do not configure | The search engine list is set to what is specified in App settings. | +## Configure additional search engines +>*Supported versions: Windows 10, version 1703 or later* -### Configure Autofill +This policy setting, when enabled, lets you add up to five additional search engines. Employees cannot remove these search engines, but they can set any one as the default. By default, this setting is not configured and does not allow additional search engines to be added. If disabled, the search engines added are deleted. + +For each additional search engine you add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). + +This setting does not set the default search engine. For that, you must use the "Set default search engine" setting. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines | +|Data type | Integer | +|Allowed values |

  • **0 (default)** - Additional search engines are not allowed.
  • **1** - Additional search engines are allowed.
| + +## Configure Autofill >*Supported versions: Windows 10* -This policy setting lets you decide whether employees can use Autofill the form fields automatically while using Microsoft Edge. By default, employees can choose whether to use Autofill. -| If you… | Then… | -| --- | --- | -| Enable | Employees can use Autofill to populate form fields automatically. | -| Disable | Employees cannot use Autofill to populate form fields automatically. | -| Do not configure (default) | Employees can choose whether to use Autofill to populate the form fields automatically. | +This policy setting specifies whether AutoFill on websites is allowed. By default, this setting is not configured allowing employees to choose whether or not to use AutoFill. If enabled, AutoFill is used. If disabled, AutoFill is not used. -### Configure cookies +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowAutofill | +|Data type | Integer | +|Allowed values |
  • **0** - Employees cannot use Autofill to complete form fields.
  • **1 (default)** - Employees can use Autofill to complete form fields.
| + +## Configure cookies >*Supported versions: Windows 10* -This setting lets you configure how to work with cookies. -| If you… | Then… | -| --- | --- | -| Enable (default) | You must also decide whether to:
  • **Allow all cookies (default)** from all websites.
  • **Block all cookies** from all websites.
  • **Block only 3rd-party cookies** from 3rd-party websites.
| -| Disable or do not configure | All cookies are allowed from all sites. | +This policy setting specifies whether cookies are allowed. By default, this setting is enabled with the Block all cookies and Block only 3rd-party cookies options available. If disabled or not configured, all cookies are allowed from all sites. -### Configure Do Not Track +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCookies | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Allows all cookies from all sites.
  • **1** - Blocks only cookies from 3rd party websites.
  • **2** - Blocks all cookies from all sites.
| + +## Configure Do Not Track >*Supported versions: Windows 10* -This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests are never sent, but employees can choose to turn on and send requests. -| If you… | Then… | -| --- | --- | -| Enable | Do Not Track requests are always sent to websites asking for tracking information. | -| Disable | Do Not Track requests are never sent to websites asking for tracking information. | -| Do not configure (default) | Employees can choose whether to send Do Not Track requests to websites asking for tracking information. | +This policy setting specifies whether Do Not Track requests to websites is allowed. By default, this setting is not configured allowing employees to choose whether or not to send tracking information. If enabled, Do Not Track requests are always sent to websites asking for tracking information. If disabled, Do Not Track requests are never sent. -### Configure Favorites +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Stops employees from sending Do Not Track headers to websites requesting tracking info.
  • **1** - Employees can send Do Not Track headers to websites requesting tracking info.
| + +## Configure Favorites +>*Supported versions: Windows 10, version 1709* + +This policy settings lets you configure a default list of Favorites that appear for your employee. By default, this setting is disabled or not configured allowing employees to customize the Favorites list, such as adding folders to organize their favorites. If enabled, employees are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | +|Data type | Integer | +|Allowed values |
  • **0** - Disabled. Do not lockdown Favorites.
  • **1** - Enabled. Lockdown Favorites.
| + +## Configure Password Manager +>*Supported versions: Windows 10* + +This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing employees to save their passwords locally. If not configured, employees can choose whether or not to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Employees cannot use Password Manager to save passwords locally.
  • **1** - Employees can use Password Manager to save passwords locally.
| + +## Configure Pop-up Blocker +>*Supported versions: Windows 10* + +This policy setting specifies whether pop-up blocker is allowed or enabled. By default, pop-up blocker is turned on. If not configured, employees can choose whether to turn on or turn off pop-up blocker. If disabled, pop-up blocker is turned off. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowPopups | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Turns off Pop-up Blocker, allowing pop-up windows.
  • **1** - Turns on Pop-up Blocker, stopping pop-up windows.
| + +## Configure search suggestions in Address bar +>*Supported versions: Windows 10* + +This policy setting specifies whether search suggestions are allowed in the address bar. By default, this setting is not configured allowing employees to choose whether search suggestions appear in the address bar. If enabled, search suggestions appear. If disabled, search suggestions do not appear. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Employees cannot see search suggestions in the Address bar of Microsoft Edge.
  • **1** - Employees can see search suggestions in the Address bar of Microsoft Edge.
| + +## Configure Start pages >*Supported versions: Windows 10, version 1511 or later* -This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. -| If you… | Then… | -| --- | --- | -| Enable | You must provide a list of Favorites in the Options section. The list imports automatically after you deploy this policy. | -| Disable or do not configure | Employees will see the Favorites that they set in the Favorites hub. | +This policy setting specifies your Start pages for domain-joined or MDM-enrolled devices. By default, this setting is disabled or not configured. Therefore, the Start page is the webpages specified in App settings. If enabled, you can configure one or more corporate Start pages. If enabling this setting, you must include URLs separating multiple pages by using XML-escaped characters < and >, for example, **<\support.contoso.com><\support.microsoft.com>**. -### Configure Password Manager +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/HomePages | +|Data type |String | +|Allowed values |Configure the Start page (previously known as Home page) URLs for your employees. | + +## Configure the Adobe Flash Click-to-Run setting +>*Supported versions: Windows 10, version 1703 or later* + +This policy setting specifies whether employees must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. By default, this setting is enabled. when the setting is enabled, employees must click the content, Click-to-Run button, or have the site appear on an auto-allow list before before the Adobe Flash content loads. If disabled, Adobe Flash loads and runs automatically. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun | +|Data type | Integer | +|Allowed values |
  • **0** - Adobe Flash content is automatically loaded and run by Microsoft Edge.
  • **1 (default)** - An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
| + +## Configure the Enterprise Mode Site List >*Supported versions: Windows 10* -This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. -| If you… | Then… | -| --- | --- | -| Enable (default) | Employees can use Password Manager to save their passwords locally. | -| Disable | Employees cannot use Password Manager to save their passwords locally. | -| Do not configure | Employees can choose whether to use Password Manager to save their passwords locally. | - -### Configure Pop-up Blocker ->*Supported versions: Windows 10* - -This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. -| If you… | Then… | -| --- | --- | -| Enable (default) | Pop-up Blocker is turned on, stopping pop-up windows from appearing. | -| Disable | Pop-up Blocker is turned off, letting pop-up windows appear. | -| Do not configure | Employees can choose whether to use Pop-up Blocker. | - -### Configure search suggestions in Address bar ->*Supported versions: Windows 10* - -This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. -| If you… | Then… | -| --- | --- | -| Enable | Employees can see search suggestions in the Address bar. | -| Disable | Employees cannot see search suggestions in the Address bar. | -| Do not configure (default) | Employees can choose whether search suggestions appear in the Address bar. | - -### Configure Start pages ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees will not be able to change this after you set it. -| If you… | Then… | -| --- | --- | -| Enable | You must include URLs to the pages, separating multiple pages by using angle brackets in this format:

`` | -| Disable or do not configure (default) | The default Start page is the webpage specified in App settings. | - -### Configure the Adobe Flash Click-to-Run setting ->*Supported versions: Windows 10, version 1703* - -This policy setting lets you decide whether employees must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. -| If you… | Then… | -| --- | --- | -| Enable or don’t configure | Employees must click the content, click the Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. | -| Disable | Adobe Flash loads automatically and runs in Microsoft Edge. | - -### Configure the Enterprise Mode Site List ->*Supported versions: Windows 10* - -This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. -| If you… | Then… | -| --- | --- | -| Enable | You must add the location to your site list in the **{URI}** box. When configured, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. | -Disable or do not configure (default) | Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. | +This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. By default, this setting is disabled or not configured, which means the Enterprise Mode Site List is not used. In this case, employees might experience compatibility problems while using legacy apps. If enabled, you must add the location to your site list in the **{URI}** box. when enabled, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. >[!Note] >If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.

>If you already use a site list, enterprise mode continues to work during the 65-second wait; it just uses the existing site list instead of the new one. -### Configure Windows Defender SmartScreen +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList | +|Data type | String | +|Allowed values |
  • Not configured.
  • **1 (default)** - Use the Enterprise Mode Site List, if configured.
  • **2** - Specify the location to the site list.
| + +## Configure Windows Defender SmartScreen >*Supported versions: Windows 10* -This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. -| If you… | Then… | -| --- | --- | -| Enable | Windows Defender SmartScreen is turned on, and employees cannot turn it off. | -| Disable | Windows Defender SmartScreen is turned off, and employees cannot turn it on. | -| Do not configure | Employees can choose whether to use Windows Defender SmartScreen. | +This policy setting specifies whether Windows Defender SmartScreen is allowed. By default, this setting is enabled or turned on and employees cannot turn it off. If disabled, Windows Defender SmartScreen is turned off and employees cannot turn it on. If not configured, employees can choose whether to use Windows Defender SmartScreen. -### Disable lockdown of Start pages ->*Supported versions: Windows 10, version 1703* +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Turns off Windows Defender SmartScreen.
  • **1** - Turns on Windows Defender SmartScreen, providing warning messages to your employees about potential phishing scams and malicious software.
| -This policy setting lets you disable the lockdown of Start pages if the Configure Start pages setting is in effect . This setting only applies to domain-joined or MDM-enrolled devices. +## Disable lockdown of Start pages +>*Supported versions: Windows 10, version 1703 or later* -For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy). +This policy setting specifies whether the lockdown on the Start pages is disabled on domain-joined or MDM-enrolled devices. By default, this policy is enabled locking down the Start pages according to the settings specified in the Browser/HomePages policy. When enabled, users cannot change the Start pages. If disabled, users can modify the Start pages. -| If you… | Then… | -| --- | --- | -| Enable | You cannot lock down Start pages that are configured using the “Configure Start pages” setting. Employees can, therefore, modify the pages. | -| Disable or do not configure (default) | Employees cannot change Start pages configured using the “Configure Start pages” setting. | +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
  • **1** - Disable lockdown of the Start pages and allow users to modify them.
| -### Keep favorites in sync between Internet Explorer and Microsoft Edge ->*Supported versions: Windows 10, version 1703* + +## Do not sync +>*Supported versions: Windows 10* -This policy setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position. +This policy setting specifies whether employees can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting employees pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). - -| If you… | Then… | -| --- | --- | -| Enable | Employees can sync their favorites between Internet Explorer and Microsoft Edge.

Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. | -| Disable or do not configure | Employees cannot sync their favorites between Internet Explorer and Microsoft Edge. | +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings | +|Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync | +|Data type | Integer | +|Allowed values |
  • **0** - Employees cannot sync settings between PCs.
  • **1 (default)** - Employees can sync between PCs.
| -### Prevent access to the about:flags page + +## Do not sync browser settings +>*Supported versions: Windows 10* + +This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting. + + + +## Keep favorites in sync between Internet Explorer and Microsoft Edge +>*Supported versions: Windows 10, version 1703 or later* + +This policy setting specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including additions, deletions, modifications, and ordering. By default, this setting is disabled or not configured. When disabled or not configured, employees cannot sync their favorites. If enabled, employees can sync their favorites and stops Microsoft Edge favorites from syncing between connected Windows 10 devices. This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Synchronization is turned off.
  • **1** - Synchronization is turned on.
| + +## Prevent access to the about:flags page >*Supported versions: Windows 10, version 1607 or later* -This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. -| If you… | Then… | -| --- | --- | -| Enable | Employees cannot access the about:flags page. | -| Disable or do not configure (default) | Employees can access the about:flags page. | +This policy setting specifies whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. By default, this setting is disabled or not configured, which means employees can access the about:flags page. If enabled, employees cannot access the about:flags page. -### Prevent bypassing Windows Defender SmartScreen prompts for files +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Employees can access the about:flags page in Microsoft Edge.
  • **1** - Employees cannot access the about:flags page in Microsoft Edge.
| + +## Prevent bypassing Windows Defender SmartScreen prompts for files >*Supported versions: Windows 10, version 1511 or later* -This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. -| If you… | Then… | -| --- | --- | -| Enable | Employees cannot ignore Windows Defender SmartScreen warnings when downloading files. | -| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings and can continue the download process. | -### Prevent bypassing Windows Defender SmartScreen prompts for sites +This policy setting specifies whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. By default, this setting is disabled or not configured (turned off), which means employees can ignore the warnings and can continue the download process. If enabled (turned on), employees cannot ignore the warnings and blocks them from downloading unverified files. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | +|Supported devices |Desktop
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
  • **1** - Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.
| + +## Prevent bypassing Windows Defender SmartScreen prompts for sites >*Supported versions: Windows 10, version 1511 or later* -This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. -| If you… | Then… | -| --- | --- | -| Enable | Employees cannot ignore Windows Defender SmartScreen warnings and prevents them from continuing to the site. | -| Disable or do not configure (default) | Employees can ignore Windows Defender SmartScreen warnings, allowing them to continue to the site. | +This policy setting specifies whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. By default, this setting is disabled or not configured (turned off), which means employees can ignore the warnings and allows them to continue to the site. If enabled (turned on), employees cannot ignore the warnings and blocks them from continuing to the site. -### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start ->*Supported versions: Windows 10, version 1703* +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Turns off Windows Defender SmartScreen.
  • **1** - Turns on Windows Defender SmartScreen.
| -This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. -| If you… | Then… | -| --- | --- | -| Enable | Microsoft Edge does not gather the Live Tile metadata, providing a minimal experience. | -| Disable or do not configure (default) | Microsoft Edge gathers the Live Tile metadata, providing a fuller and complete experience. | +## Prevent changes to Favorites on Microsoft Edge +>*Supported versions: Windows 10, version 1709* - -### Prevent the First Run webpage from opening on Microsoft Edge ->*Supported versions: Windows 10, version 1703* - -This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. -| If you… | Then… | -| --- | --- | -| Enable | Employees do not see the First Run page. | -| Disable or do not configure (default) | Employees see the First Run page. | - -### Prevent using Localhost IP address for WebRTC ->*Supported versions: Windows 10, version 1511 or later* - -This policy setting lets you decide whether localhost IP addresses are visible or hidden while making calls to the WebRTC protocol. -| If you… | Then… | -| --- | --- | -| Enable | Localhost IP addresses are hidden. | -| Disable or do not configure (default) | Localhost IP addresses are visible. | - -### Send all intranet sites to Internet Explorer 11 ->*Supported versions: Windows 10* - -This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. -| If you… | Then… | -| --- | --- | -| Enable | All intranet sites are opened in Internet Explorer 11 automatically. | -| Disable or do not configure (default) | All websites, including intranet sites, open in Microsoft Edge. | - -### Set default search engine ->*Supported versions: Windows 10, version 1703* - -This policy setting applies only to domain-joined or MDM-enrolled devices and lets you configure the default search engine for Microsoft Edge. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. - -For more info, see the [Microsoft browser extension policy](http://aka.ms/browserpolicy). - -| If you… | Then… | -| --- | --- | -| Enable | To set a default search engine, you must add a link to your OpenSearch XML file, including at least the short name and https URL of the search engine, using this format:

`https://fabrikam.com/opensearch.xml` | -| Disable | The policy-set default search engine is removed. If this is also the current in-use default, the search engine changes to the Microsoft Edge specified engine for the market . | -| Do not configure | The default search engine is set to the one specified in App settings. | +This policy setting specifies whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. By default, this setting is disabled or not configured (turned on), which means the Favorites list is not locked down and employees can make changes to the Favorites list. If enabled, employees cannot make changes to the Favorites list. Also, the Save a Favorite, Import settings, and the context menu items, such as Create a new folder, are turned off. >[!Important] ->If you'd like your employees to use the default Microsoft Edge settings for each market , you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. +>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + -### Show message when opening sites in Internet Explorer +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +>*Supported versions: Windows 10, version 1703 or later* + +This policy setting specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. By default, this setting is disabled or not configured (turned off), which means Microsoft servers are contacted if a site is pinned. If enabled (turned on), Microsoft servers are not contacted if a site is pinned. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
  • **1** - Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
| + +## Prevent the First Run webpage from opening on Microsoft Edge +>*Supported versions: Windows 10, version 1703 or later* + +This policy setting specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, the First Run webpage hosted on microsoft.com opens automatically. This policy allows enterprises, such as those enrolled in a zero-emissions configuration, to prevent this page from opening. By default, this setting is disabled or not configured (turned off), which means employees see the First Run page. If enabled (turned on), the employees do not see the First Run page. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | +|Supported devices |Desktop
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Employees see the First Run webpage.
  • **1** - Employees do not see the First Run webpage.
| + +## Prevent using Localhost IP address for WebRTC +>*Supported versions: Windows 10, version 1511 or later* + + +This policy setting specifies whether localhost IP address are visible or hiddle while making phone calls to the WebRTC protocol. By default, this setting is disabled or not configured (turned off), which means the localhost IP address are visible. If enabled (turned on), localhost IP addresses are hidden. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Shows an employee's LocalHost IP address while using the WebRTC protocol.
  • **1** - Does not show an employee's LocalHost IP address while using the WebRTC protocol.
| + +## Provision Favorites +>*Supported versions: Windows 10, version 1709* + + +This policy setting allows you to configure a default set of favorites for employees, which they cannot modify, sort, move, export or delete. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. + +URL can be specified as: + HTTP location: "SiteList"="http://localhost:8080/URLs.html" + Local network: "SiteList"="\network\shares\URLs.html" + Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html" + +>[!Important] +>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If disabled or not configured, employees will see the favorites they set in the Hub and Favorites Bar. + +**MDM name:** [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) + + +## Send all intranet sites to Internet Explorer 11 +>*Supported versions: Windows 10* + + +This policy setting specifies whether to send intranet traffic to Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. By default, this setting is disabled or not configured (turned off), which means all websites, including intranet sites, open in Microsoft Edge. If enabled, all intranet sites are opened in Internet Explorer 11 automatically. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Automatically opens all websites, including intranet sites, using Microsoft Edge.
  • **1** - Automatically opens all intranet sites using Internet Explorer 11.
| + +## Set default search engine +>*Supported versions: Windows 10, version 1703 or later* + + +This policy setting allows you to configure the default search engine for domain-joined or MDM-enrolled devices. By default, this setting is not configured, which means the default search engine is specified in App settings. In this case, employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. If enabled, you can configure a default search engine for employees. When enabled, employees cannot change the default search engine. If disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. + +To set the default search engine, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see Search provider discovery. If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - The default search engine is set to the one specified in App settings.
  • **1** - Allows you to configure the default search engine for your employees.
| + +## Show message when opening sites in Internet Explorer >*Supported versions: Windows 10, version 1607 and later* -This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. -| If you… | Then… | -| --- | --- | -| Enable | Employees see an additional page. | -| Disable or do not configure (default) | No additional pages display. | +This policy setting specifies whether employees see an additional page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. By default, this policy is disabled, which means no additional pages display. If enabled, employees see an additional page. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInteretExplorer | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
  • **1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
| + + ## Related topics * [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index d3be3e2ba8..0e81b79e6d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -20,7 +20,7 @@ Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series. -For Windows Defender Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). +For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). ## Hardware and software requirements From a196f71b85e44b61c9614d40ef4dfe84fdc411a3 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Thu, 5 Apr 2018 06:40:37 -0700 Subject: [PATCH 12/29] fixed broken link --- browsers/edge/available-policies.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index e564c939df..0d3bd56d4d 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -1,7 +1,8 @@ --- description: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 -author: eross-msft +author: shortpatti +ms.author: pashort ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library @@ -10,8 +11,6 @@ ms.localizationpriority: high ms.date: 09/13/2017 #Previsou release date --- - - # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge > Applies to: Windows 10, Windows 10 Mobile From 31893d315efac005dc93c13d4e0c1ddb479fe357 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Thu, 5 Apr 2018 07:58:50 -0700 Subject: [PATCH 13/29] corrected the Configure Favorites policy and fixed a broken link --- browsers/edge/available-policies.md | 43 ++++++++++++----------------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 0d3bd56d4d..462b4795c6 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -156,7 +156,7 @@ This policy setting specifies whether to use the Microsoft compatibility list in This policy setting allows search engine customization for domain-joined or MDM-enrolled devices only. For example, you can change the default search engine or add a new search engine. By default, this setting is enabled allowing employees to add new search engines and change the default under Settings. If disabled, employees cannot add search enginess or change the default. -For more information, see [Microsoft browser extension policy](aka.ms/browserpolicy). +For more information, see [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). **Microsoft Intune to manage your MDM settings** | | | @@ -239,16 +239,27 @@ This policy setting specifies whether Do Not Track requests to websites is allow ## Configure Favorites >*Supported versions: Windows 10, version 1709* -This policy settings lets you configure a default list of Favorites that appear for your employee. By default, this setting is disabled or not configured allowing employees to customize the Favorites list, such as adding folders to organize their favorites. If enabled, employees are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off. +This policy setting allows you to configure a default list of Favorites that appear for your employee, which they cannot modify, sort, move, export or delete. By default, this setting is disabled or not configured allowing employees to customize the Favorites list, such as adding folders to organize their favorites. If enabled, employees are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off. + +Specify the URL which points to the file that has all the data for provisioning favorites (in html format). + +URL can be specified as: +- HTTP location: "SiteList"="http://localhost:8080/URLs.html" +- Local network: "SiteList"="\network\shares\URLs.html" +- Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html" + +You can export a set of favorites from Edge and use that html file for provisioning user machines. + +>[!Important] +>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. **Microsoft Intune to manage your MDM settings** | | | |---|---| -|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | +|MDM name |[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | |Supported devices |Desktop
Mobile | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | -|Data type | Integer | -|Allowed values |
  • **0** - Disabled. Do not lockdown Favorites.
  • **1** - Enabled. Lockdown Favorites.
| +|URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites | +|Data type | String | ## Configure Password Manager >*Supported versions: Windows 10* @@ -500,26 +511,6 @@ This policy setting specifies whether localhost IP address are visible or hiddle |Data type | Integer | |Allowed values |
  • **0 (default)** - Shows an employee's LocalHost IP address while using the WebRTC protocol.
  • **1** - Does not show an employee's LocalHost IP address while using the WebRTC protocol.
| -## Provision Favorites ->*Supported versions: Windows 10, version 1709* - - -This policy setting allows you to configure a default set of favorites for employees, which they cannot modify, sort, move, export or delete. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines. - -URL can be specified as: - HTTP location: "SiteList"="http://localhost:8080/URLs.html" - Local network: "SiteList"="\network\shares\URLs.html" - Local file: "SiteList"="file:///c:\Users\\Documents\URLs.html" - ->[!Important] ->Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If disabled or not configured, employees will see the favorites they set in the Hub and Favorites Bar. - -**MDM name:** [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) - ## Send all intranet sites to Internet Explorer 11 >*Supported versions: Windows 10* From 5544523d7d27b57117c9cc4e2849262db714622f Mon Sep 17 00:00:00 2001 From: Patti Short Date: Thu, 5 Apr 2018 08:35:00 -0700 Subject: [PATCH 14/29] corrected the Configure Favorites policy and fixed a broken link --- browsers/edge/available-policies.md | 69 +++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 462b4795c6..824ae2d3eb 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -77,6 +77,20 @@ This policy setting specifies whether to clear browsing data on exiting Microsof |Data type | Integer | |Allowed values |
  • **0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
  • **1** - Browsing data is cleared on exit.
| +## Allow configuration updates for the Books Library +>*Supporteded versions: Windows 10, version 1703 or later* + +This policy setting specifies whether Microsoft Edge can automatically update the configuration data for the Books Library. By default, this setting is enabled, which means Microsoft Edge retrieves a configuration for Books Library. If disabled, Microsoft Edge does not retrieve a configuration. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowConfigurationUpdateForBooksLibrary ](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | +|Supported devices |Desktop | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary | +|Data type | Integer | +|Allowed values |
  • **0** - Disable. Microsoft Edge cannot retrieve a configuration.
  • **1 (default)** - Enable (default). Microsoft Edge can retrieve a configuration for Books Library.
| + ## Allow Cortana >*Supported versions: Windows 10, version 1607 or later* @@ -109,6 +123,21 @@ This policy setting specifies whether employees cna use the F12 Developer Tools |Data type | Integer | |Allowed values |
  • **0** - Employees cannot use the F12 Developer Tools./li>
  • **1 (default)** - Employees can use the F12 Developer Tools.
| +## Allow extended telemetry for the Books tab +>*Supporteded versions: Windows 10, version 1703 or later* + + +This policy settings specifies whether to allow the address bar drop-down functionality in Microsoft Edge. By default, this setting is enabled. We recommend that you disable this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. If disabled, employees do not see the address bar drop-down functionality and also disables the user-defined settting "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the _Configure search suggestions in Address bar_ or _AllowSearchSuggestionsinAddressBar_ setting. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | +|Supported devices |Desktop | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown | +|Data type | Integer | +|Allowed values |
  • **0** - Not Allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
  • **1 (default)** - Allowed. Address bar drop-down is enabled.
| + ## Allow Extensions >*Supporteded versions: Windows 10, version 1607 or later* @@ -175,6 +204,19 @@ This policy setting lets you configure what appears when a New Tab page is opene +## Always enable book library +>*Supporteded versions: Windows 10* + +This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | +|Supported devices |Desktop
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Disable. Use default visibility of the Books Library. The Library will be only visible in countries or regions where it’s available.
  • **1** - Enable. Always show the Books Library, regardless of countries or region of activation.
| ## Configure additional search engines >*Supported versions: Windows 10, version 1703 or later* @@ -399,6 +441,19 @@ This policy setting specifies whether employees can use the Sync your Settings o This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting. +## Enable extended books telemetry +>*Supporteded versions: Windows 10* + +This policy setting specifies how much data to send to Microsoft about the books you are reading from the Books tab in Microsoft Edge. By default, this setting is disabled or not configured, which means Microsoft Edge sends basic diagnostic data, depending on your device configuration. If enabled, Microsoft Edge sends additional diagnostic data in addition to the basic diagnostic data. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | +|Supported devices |Desktop
Mobile | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Disable. No additional diagnostic data.
  • **1** - Enable. Additional diagnostic data for schools.
| ## Keep favorites in sync between Internet Explorer and Microsoft Edge @@ -559,6 +614,20 @@ This policy setting specifies whether employees see an additional page in Micros |Data type | Integer | |Allowed values |
  • **0 (default)** - Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
  • **1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.
| +## User shared folder for books +>*Supported versions: Windows 10* + +This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | +|Data type | Integer | +|Allowed values |
  • **0** - No shared folder.
  • **1** - Use as shared folder.
| + -## Always enable book library + +## Always Enable book library >*Supporteded versions: Windows 10* This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation. @@ -237,7 +234,7 @@ This setting does not set the default search engine. For that, you must use the ## Configure Autofill >*Supported versions: Windows 10* -This policy setting specifies whether AutoFill on websites is allowed. By default, this setting is not configured allowing employees to choose whether or not to use AutoFill. If enabled, AutoFill is used. If disabled, AutoFill is not used. +This policy setting specifies whether AutoFill on websites is allowed. By default, this setting is not configured allowing you to choose whether or not to use AutoFill. If enabled, AutoFill is used. If disabled, AutoFill is not used. **Microsoft Intune to manage your MDM settings** | | | @@ -265,7 +262,7 @@ This policy setting specifies whether cookies are allowed. By default, this sett ## Configure Do Not Track >*Supported versions: Windows 10* -This policy setting specifies whether Do Not Track requests to websites is allowed. By default, this setting is not configured allowing employees to choose whether or not to send tracking information. If enabled, Do Not Track requests are always sent to websites asking for tracking information. If disabled, Do Not Track requests are never sent. +This policy setting specifies whether Do Not Track requests to websites is allowed. By default, this setting is not configured allowing you to choose whether or not to send tracking information. If enabled, Do Not Track requests are always sent to websites asking for tracking information. If disabled, Do Not Track requests are never sent. **Microsoft Intune to manage your MDM settings** | | | @@ -274,12 +271,12 @@ This policy setting specifies whether Do Not Track requests to websites is allow |Supported devices |Desktop
Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack | |Data type | Integer | -|Allowed values |
  • **0 (default)** - Stops employees from sending Do Not Track headers to websites requesting tracking info.
  • **1** - Employees can send Do Not Track headers to websites requesting tracking info.
| +|Allowed values |
  • **0 (default)** - Stops you from sending Do Not Track headers to websites requesting tracking info.
  • **1** - Employees can send Do Not Track headers to websites requesting tracking info.
| ## Configure Favorites >*Supported versions: Windows 10, version 1709* -This policy setting allows you to configure a default list of Favorites that appear for your employee, which they cannot modify, sort, move, export or delete. By default, this setting is disabled or not configured allowing employees to customize the Favorites list, such as adding folders to organize their favorites. If enabled, employees are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off. +This policy setting allows you to configure a default list of Favorites that appear for your employee, which they cannot modify, sort, move, export or delete. By default, this setting is disabled or not configured allowing you to customize the Favorites list, such as adding folders to organize their favorites. If enabled, you are not allowed to add, import, or change anything in the Favorites list. As part of this, the Save a Favorite, Import settings, and context menu items (such as Create a new folder) are turned off. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). @@ -291,7 +288,7 @@ URL can be specified as: You can export a set of favorites from Edge and use that html file for provisioning user machines. >[!Important] ->Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. **Microsoft Intune to manage your MDM settings** | | | @@ -304,7 +301,7 @@ You can export a set of favorites from Edge and use that html file for provision ## Configure Password Manager >*Supported versions: Windows 10* -This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing employees to save their passwords locally. If not configured, employees can choose whether or not to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off. +This policy setting specifies whether saving and managing passwords locally on the device is allowed. By default, this setting is enabled allowing you to save their passwords locally. If not configured, you can choose whether or not to save and manage passwords locally. If disabled, saving and managing passwords locally is turned off. **Microsoft Intune to manage your MDM settings** | | | @@ -318,7 +315,7 @@ This policy setting specifies whether saving and managing passwords locally on t ## Configure Pop-up Blocker >*Supported versions: Windows 10* -This policy setting specifies whether pop-up blocker is allowed or enabled. By default, pop-up blocker is turned on. If not configured, employees can choose whether to turn on or turn off pop-up blocker. If disabled, pop-up blocker is turned off. +This policy setting specifies whether pop-up blocker is allowed or enabled. By default, pop-up blocker is turned on. If not configured, you can choose whether to turn on or turn off pop-up blocker. If disabled, pop-up blocker is turned off. **Microsoft Intune to manage your MDM settings** | | | @@ -332,7 +329,7 @@ This policy setting specifies whether pop-up blocker is allowed or enabled. By d ## Configure search suggestions in Address bar >*Supported versions: Windows 10* -This policy setting specifies whether search suggestions are allowed in the address bar. By default, this setting is not configured allowing employees to choose whether search suggestions appear in the address bar. If enabled, search suggestions appear. If disabled, search suggestions do not appear. +This policy setting specifies whether search suggestions are allowed in the address bar. By default, this setting is not configured allowing you to choose whether search suggestions appear in the address bar. If enabled, search suggestions appear. If disabled, search suggestions do not appear. **Microsoft Intune to manage your MDM settings** | | | @@ -355,12 +352,12 @@ This policy setting specifies your Start pages for domain-joined or MDM-enrolled |Supported devices |Desktop | |URI full path |./Vendor/MSFT/Policy/Config/Browser/HomePages | |Data type |String | -|Allowed values |Configure the Start page (previously known as Home page) URLs for your employees. | +|Allowed values |Configure the Start page (previously known as Home page) URLs for your you. | ## Configure the Adobe Flash Click-to-Run setting >*Supported versions: Windows 10, version 1703 or later* -This policy setting specifies whether employees must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. By default, this setting is enabled. when the setting is enabled, employees must click the content, Click-to-Run button, or have the site appear on an auto-allow list before before the Adobe Flash content loads. If disabled, Adobe Flash loads and runs automatically. +This policy setting specifies whether you must take action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. By default, this setting is enabled. when the setting is enabled, you must click the content, Click-to-Run button, or have the site appear on an auto-allow list before before the Adobe Flash content loads. If disabled, Adobe Flash loads and runs automatically. **Microsoft Intune to manage your MDM settings** | | | @@ -374,7 +371,7 @@ This policy setting specifies whether employees must take action, such as clicki ## Configure the Enterprise Mode Site List >*Supported versions: Windows 10* -This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. By default, this setting is disabled or not configured, which means the Enterprise Mode Site List is not used. In this case, employees might experience compatibility problems while using legacy apps. If enabled, you must add the location to your site list in the **{URI}** box. when enabled, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. +This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. By default, this setting is disabled or not configured, which means the Enterprise Mode Site List is not used. In this case, you might experience compatibility problems while using legacy apps. If enabled, you must add the location to your site list in the **{URI}** box. when enabled, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. >[!Note] >If there is a .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server has a different version number than the version in the cache container, the server file is used and stored in the cache container.

@@ -392,7 +389,7 @@ This policy setting lets you configure whether to use Enterprise Mode and the En ## Configure Windows Defender SmartScreen >*Supported versions: Windows 10* -This policy setting specifies whether Windows Defender SmartScreen is allowed. By default, this setting is enabled or turned on and employees cannot turn it off. If disabled, Windows Defender SmartScreen is turned off and employees cannot turn it on. If not configured, employees can choose whether to use Windows Defender SmartScreen. +This policy setting specifies whether Windows Defender SmartScreen is allowed. By default, this setting is enabled or turned on and you cannot turn it off. If disabled, Windows Defender SmartScreen is turned off and you cannot turn it on. If not configured, you can choose whether to use Windows Defender SmartScreen. **Microsoft Intune to manage your MDM settings** | | | @@ -401,7 +398,7 @@ This policy setting specifies whether Windows Defender SmartScreen is allowed. B |Supported devices |Desktop
Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen | |Data type | Integer | -|Allowed values |
  • **0 (default)** - Turns off Windows Defender SmartScreen.
  • **1** - Turns on Windows Defender SmartScreen, providing warning messages to your employees about potential phishing scams and malicious software.
| +|Allowed values |
  • **0 (default)** - Turns off Windows Defender SmartScreen.
  • **1** - Turns on Windows Defender SmartScreen, providing warning messages to your you about potential phishing scams and malicious software.
| ## Disable lockdown of Start pages >*Supported versions: Windows 10, version 1703 or later* @@ -421,7 +418,7 @@ This policy setting specifies whether the lockdown on the Start pages is disable ## Do not sync >*Supported versions: Windows 10* -This policy setting specifies whether employees can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting employees pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). +This policy setting specifies whether you can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting you pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). **Microsoft Intune to manage your MDM settings** | | | @@ -433,31 +430,15 @@ This policy setting specifies whether employees can use the Sync your Settings o |Data type | Integer | |Allowed values |
  • **0** - Employees cannot sync settings between PCs.
  • **1 (default)** - Employees can sync between PCs.
| - ## Do not sync browser settings >*Supported versions: Windows 10* This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting. -## Enable extended books telemetry ->*Supporteded versions: Windows 10* - -This policy setting specifies how much data to send to Microsoft about the books you are reading from the Books tab in Microsoft Edge. By default, this setting is disabled or not configured, which means Microsoft Edge sends basic diagnostic data, depending on your device configuration. If enabled, Microsoft Edge sends additional diagnostic data in addition to the basic diagnostic data. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary | -|Data type | Integer | -|Allowed values |
  • **0 (default)** - Disable. No additional diagnostic data.
  • **1** - Enable. Additional diagnostic data for schools.
| - - ## Keep favorites in sync between Internet Explorer and Microsoft Edge >*Supported versions: Windows 10, version 1703 or later* -This policy setting specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including additions, deletions, modifications, and ordering. By default, this setting is disabled or not configured. When disabled or not configured, employees cannot sync their favorites. If enabled, employees can sync their favorites and stops Microsoft Edge favorites from syncing between connected Windows 10 devices. This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +This policy setting specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including additions, deletions, modifications, and ordering. By default, this setting is disabled or not configured. When disabled or not configured, you cannot sync their favorites. If enabled, you can sync their favorites and stops Microsoft Edge favorites from syncing between connected Windows 10 devices. This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. **Microsoft Intune to manage your MDM settings** | | | @@ -471,7 +452,7 @@ This policy setting specifies whether favorites are kept in sync between Interne ## Prevent access to the about:flags page >*Supported versions: Windows 10, version 1607 or later* -This policy setting specifies whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. By default, this setting is disabled or not configured, which means employees can access the about:flags page. If enabled, employees cannot access the about:flags page. +This policy setting specifies whether you can access the about:flags page, which is used to change developer settings and to enable experimental features. By default, this setting is disabled or not configured, which means you can access the about:flags page. If enabled, you cannot access the about:flags page. **Microsoft Intune to manage your MDM settings** | | | @@ -485,7 +466,7 @@ This policy setting specifies whether employees can access the about:flags page, ## Prevent bypassing Windows Defender SmartScreen prompts for files >*Supported versions: Windows 10, version 1511 or later* -This policy setting specifies whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. By default, this setting is disabled or not configured (turned off), which means employees can ignore the warnings and can continue the download process. If enabled (turned on), employees cannot ignore the warnings and blocks them from downloading unverified files. +This policy setting specifies whether you can override the Windows Defender SmartScreen warnings about downloading unverified files. By default, this setting is disabled or not configured (turned off), which means you can ignore the warnings and can continue the download process. If enabled (turned on), you cannot ignore the warnings and blocks them from downloading unverified files. **Microsoft Intune to manage your MDM settings** | | | @@ -494,12 +475,12 @@ This policy setting specifies whether employees can override the Windows Defende |Supported devices |Desktop
Mobile | |URI full path | ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles | |Data type | Integer | -|Allowed values |
  • **0 (default)** - Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
  • **1** - Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files.
| +|Allowed values |
  • **0 (default)** - Lets you ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process.
  • **1** - Stops you from ignoring the Windows Defender SmartScreen warnings about unverified files.
| ## Prevent bypassing Windows Defender SmartScreen prompts for sites >*Supported versions: Windows 10, version 1511 or later* -This policy setting specifies whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. By default, this setting is disabled or not configured (turned off), which means employees can ignore the warnings and allows them to continue to the site. If enabled (turned on), employees cannot ignore the warnings and blocks them from continuing to the site. +This policy setting specifies whether you can override the Windows Defender SmartScreen warnings about potentially malicious websites. By default, this setting is disabled or not configured (turned off), which means you can ignore the warnings and allows them to continue to the site. If enabled (turned on), you cannot ignore the warnings and blocks them from continuing to the site. **Microsoft Intune to manage your MDM settings** | | | @@ -513,10 +494,10 @@ This policy setting specifies whether employees can override the Windows Defende ## Prevent changes to Favorites on Microsoft Edge >*Supported versions: Windows 10, version 1709* -This policy setting specifies whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. By default, this setting is disabled or not configured (turned on), which means the Favorites list is not locked down and employees can make changes to the Favorites list. If enabled, employees cannot make changes to the Favorites list. Also, the Save a Favorite, Import settings, and the context menu items, such as Create a new folder, are turned off. +This policy setting specifies whether you can add, import, sort, or edit the Favorites list in Microsoft Edge. By default, this setting is disabled or not configured (turned on), which means the Favorites list is not locked down and you can make changes to the Favorites list. If enabled, you cannot make changes to the Favorites list. Also, the Save a Favorite, Import settings, and the context menu items, such as Create a new folder, are turned off. >[!Important] ->Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +>Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. @@ -538,7 +519,7 @@ This policy setting specifies whether Microsoft can collect information to creat ## Prevent the First Run webpage from opening on Microsoft Edge >*Supported versions: Windows 10, version 1703 or later* -This policy setting specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, the First Run webpage hosted on microsoft.com opens automatically. This policy allows enterprises, such as those enrolled in a zero-emissions configuration, to prevent this page from opening. By default, this setting is disabled or not configured (turned off), which means employees see the First Run page. If enabled (turned on), the employees do not see the First Run page. +This policy setting specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, the First Run webpage hosted on microsoft.com opens automatically. This policy allows enterprises, such as those enrolled in a zero-emissions configuration, to prevent this page from opening. By default, this setting is disabled or not configured (turned off), which means you see the First Run page. If enabled (turned on), the you do not see the First Run page. **Microsoft Intune to manage your MDM settings** | | | @@ -584,9 +565,9 @@ This policy setting specifies whether to send intranet traffic to Internet Explo >*Supported versions: Windows 10, version 1703 or later* -This policy setting allows you to configure the default search engine for domain-joined or MDM-enrolled devices. By default, this setting is not configured, which means the default search engine is specified in App settings. In this case, employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. If enabled, you can configure a default search engine for employees. When enabled, employees cannot change the default search engine. If disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. +This policy setting allows you to configure the default search engine for domain-joined or MDM-enrolled devices. By default, this setting is not configured, which means the default search engine is specified in App settings. In this case, you can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. If enabled, you can configure a default search engine for you. When enabled, you cannot change the default search engine. If disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. -To set the default search engine, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see Search provider discovery. If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. +To set the default search engine, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see Search provider discovery. If you'd like your you to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your you to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. **Microsoft Intune to manage your MDM settings** | | | @@ -595,13 +576,13 @@ To set the default search engine, you must specify a link to the OpenSearch XML |Supported devices |Desktop
Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine | |Data type | Integer | -|Allowed values |
  • **0 (default)** - The default search engine is set to the one specified in App settings.
  • **1** - Allows you to configure the default search engine for your employees.
| +|Allowed values |
  • **0 (default)** - The default search engine is set to the one specified in App settings.
  • **1** - Allows you to configure the default search engine for your you.
| ## Show message when opening sites in Internet Explorer >*Supported versions: Windows 10, version 1607 and later* -This policy setting specifies whether employees see an additional page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. By default, this policy is disabled, which means no additional pages display. If enabled, employees see an additional page. +This policy setting specifies whether you see an additional page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. By default, this policy is disabled, which means no additional pages display. If enabled, you see an additional page. **Microsoft Intune to manage your MDM settings** | | | @@ -738,7 +719,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - **0 (default).** Stops employees from sending Do Not Track headers to websites requesting tracking info. + - **0 (default).** Stops you from sending Do Not Track headers to websites requesting tracking info. - **1.** Employees can send Do Not Track headers to websites requesting tracking info. @@ -911,7 +892,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **0 (default).** Turns off Windows Defender SmartScreen. - - **1.** Turns on Windows Defender SmartScreen, providing warning messages to your employees about potential phishing scams and malicious software. + - **1.** Turns on Windows Defender SmartScreen, providing warning messages to your you about potential phishing scams and malicious software. ## ClearBrowsingDataOnExit - **Supported versions:** Windows 10, version 1703 @@ -999,7 +980,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - Configure the **Favorite** URLs for your employees. + - Configure the **Favorite** URLs for your you. **Example:** @@ -1021,7 +1002,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - Configure the first run URL for your employees. + - Configure the first run URL for your you. **Example:** @@ -1040,7 +1021,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - Configure the Start page (previously known as Home page) URLs for your employees. + - Configure the Start page (previously known as Home page) URLs for your you. **Example:** @@ -1127,9 +1108,9 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **Allowed values:** - - **0 (default).** Lets employees ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process. + - **0 (default).** Lets you ignore the Windows Defender SmartScreen warnings about unverified files and lets them continue the download process. - - **1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files. + - **1.** Stops you from ignoring the Windows Defender SmartScreen warnings about unverified files. ## PreventUsingLocalHostIPAddressForWebRTC - **Supported versions:** Windows 10, version 1511 or later @@ -1180,7 +1161,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **0 (default).** The default search engine is set to the one specified in App settings. - - **1.** Allows you to configure the default search engine for your employees. + - **1.** Allows you to configure the default search engine for your you. ## ShowMessageWhenOpeningInteretExplorerSites - **Supported versions:** Windows 10, version 1607 and later @@ -1226,7 +1207,7 @@ These are additional Windows 10-specific Group Policy settings that work with M ## Allow Cortana - **Location:** Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana -- **Description:** This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows employees to use Cortana on their devices. If disabled (not allowed), employees cannot use Cortana, but can use search to find items on the device. +- **Description:** This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows you to use Cortana on their devices. If disabled (not allowed), you cannot use Cortana, but can use search to find items on the device. - **Microsoft Intune to manage your MDM settings** | | | @@ -1241,7 +1222,7 @@ These are additional Windows 10-specific Group Policy settings that work with M ## Do not sync - **Location:** Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync -- **Description:** This policy setting specifies whether employees can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting employees pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). +- **Description:** This policy setting specifies whether you can use the Sync your Settings option to sync their settings to and from their device. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting you pick what can sync on their device. If enabled, the Sync your Settings options are turned off and none of the Sync your Setting groups are synced on the device. You can use the Allow users to turn syncing on option to turn the feature off by default, but to let the employee change this setting. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). - - From fd24a1aa206608e3b87464126a0231e5bdbde3b7 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Thu, 5 Apr 2018 10:23:41 -0700 Subject: [PATCH 17/29] rearranged as table --- .../update/windows-update-sources.md | 141 ++---------------- 1 file changed, 10 insertions(+), 131 deletions(-) diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index 5019699f81..351417d13b 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -7,7 +7,7 @@ ms.sitesec: library author: kaushika-msft ms.localizationpriority: high ms.author: kaushika -ms.date: 04/03/2018 +ms.date: 04/05/2018 --- # Determining the Windows Update Service source @@ -16,138 +16,17 @@ Windows 10 devices can receive updates from a variety of sources, including Wind 1. Start Windows PowerShell as an administrator 2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. -3. Run `\$MUSM.Services`. The resulting output should be similar to the following: - - ``` - Name : Microsoft Update - ContentValidationCert : {} - ExpirationDate : - IsManaged : False - IsRegisteredWithAU : True - IssueDate : 01-Jan-01 12:00:00 AM - OffersWindowsUpdates : True - RedirectUrls : System.__ComObject - ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d - IsScanPackageService : False - CanRegisterWithAU : True - ServiceUrl : https://fe2.update.microsoft.com/v6/ - SetupPrefix : mu - IsDefaultAUService : False +3. Run `\$MUSM.Services`. Compare the resulting output to this table: - Name : DCat Flighting Prod - ContentValidationCert : {} - ExpirationDate : - IsManaged : False - IsRegisteredWithAU : False - IssueDate : 01-Jan-01 12:00:00 AM - OffersWindowsUpdates : False - RedirectUrls : System.__ComObject - ServiceID : 8b24b027-1dee-babb-9a95-3517dfb9c552 - IsScanPackageService : False - CanRegisterWithAU : False - ServiceUrl : https://fe3.delivery.mp.microsoft.com/ - SetupPrefix : wu - IsDefaultAUService : False +| Output | Interpretation | +|-----------------------------------------------|-----------------------------------| +| Name : Microsoft Update
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : True
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe2.update.microsoft.com/v6/
SetupPrefix : mu
IsDefaultAUService : False | - Name: **Microsoft Update** Indicates the source against which we will are checking the Client capability. Microsoft Updates indicates, updates for other Microsoft Products checkbox.
- OffersWindowsUpdates: **True** Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)| +| Name : Microsoft Update
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : True
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe2.update.microsoft.com/v6/
SetupPrefix : mu
IsDefaultAUService : False |- Name: **DCat Flighting Prod** The update source is the Windows Insider Program.
- OffersWindowsUpdates: **False** Indicates that the client will not receive or is not configured to receive these updates.| +|Name : DCat Flighting Prod
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : False
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : False
RedirectUrls : System.__ComObject
ServiceID : 8b24b027-1dee-babb-9a95-3517dfb9c552
IsScanPackageService : False
CanRegisterWithAU : False
ServiceUrl: https://fe3.delivery.mp.microsoft.com/
SetupPrefix : wu
IsDefaultAUService : False | - Name: **DCat Flighting Prod** The update source is the Windows Insider Program.
- OffersWindowsUpdates: **False** Indicates that the client will not receive or is not configured to receive these updates. | +|Name : Windows Store (DCat Prod)
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : False
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : False
RedirectUrls : System.__ComObject
ServiceID : 855e8a7c-ecb4-4ca3-b045-1dfa50104289
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe3.delivery.mp.microsoft.com/
SetupPrefix : ws
IsDefaultAUService : False | - Name: **Windows Store (DCat Prod)** The update source is Insider Updates for Store Apps.
- OffersWindowsUpdates: **False** Indicates that the client will not receive or is not configured to receive these updates. | +| Name : Windows Server Update Service
ContentValidationCert : {}
ExpirationDate : 18-Jun-54 9:21:00 PM
IsManaged : True
IsRegisteredWithAU : True
IssueDate : 01-Jan-03 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 3da21691-e39d-4da6-8a4b-b43877bcb1b7
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl :
SetupPrefix :
IsDefaultAUService : True|- Name: **Windows Server Update Service** The source is a Windows Server Updates Services server.
- OffersWindowsUpdates: **True** The client is configured to receive updates from WSUS | +| Name : Windows Update
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : False
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 9482f4b4-e343-43b6-b170-9a65bc822c77
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe2.update.microsoft.com/v6/
SetupPrefix : wu
IsDefaultAUService : False |- Name: **Windows Update** The source is Windows Update.
- OffersWindowsUpdates: **True** The client is configured to receive updates from Windows Update Online | - Name : Windows Store (DCat Prod) - ContentValidationCert : {} - ExpirationDate : - IsManaged : False - IsRegisteredWithAU : False - IssueDate : 01-Jan-01 12:00:00 AM - OffersWindowsUpdates : False - RedirectUrls : System.__ComObject - ServiceID : 855e8a7c-ecb4-4ca3-b045-1dfa50104289 - IsScanPackageService : False - CanRegisterWithAU : True - ServiceUrl : https://fe3.delivery.mp.microsoft.com/ - SetupPrefix : ws - IsDefaultAUService : False - - Name : Windows Server Update Service - ContentValidationCert : {} - ExpirationDate : 18-Jun-54 9:21:00 PM - IsManaged : True - IsRegisteredWithAU : True - IssueDate : 01-Jan-03 12:00:00 AM - OffersWindowsUpdates : True - RedirectUrls : System.__ComObject - ServiceID : 3da21691-e39d-4da6-8a4b-b43877bcb1b7 - IsScanPackageService : False - CanRegisterWithAU : True - ServiceUrl : - SetupPrefix : - IsDefaultAUService : True - - Name : Windows Update - ContentValidationCert : {} - ExpirationDate : - IsManaged : False - IsRegisteredWithAU : False - IssueDate : 01-Jan-01 12:00:00 AM - OffersWindowsUpdates : True - RedirectUrls : System.__ComObject - ServiceID : 9482f4b4-e343-43b6-b170-9a65bc822c77 - IsScanPackageService : False - CanRegisterWithAU : True - ServiceUrl : https://fe2.update.microsoft.com/v6/ - SetupPrefix : wu - IsDefaultAUService : False - ``` - -4. Check the category **Name** and **OffersWindowsUpdates**:  - - Name: **Microsoft Update** - - Indicates the source against which we will are checking the Client capability. Microsoft Updates indicates, updates for other Microsoft Products checkbox. - - OffersWindowsUpdates: **True** - - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) - - --- - - Name: **DCat Flighting Prod** - - The update source is the Windows Insider Program. - - OffersWindowsUpdates: **False** - - Indicates that the client will not receive or is not configured to receive these updates. - - --- - - Name: **Windows Store (DCat Prod)** - - The update source is Insider Updates for Store Apps. - - OffersWindowsUpdates: **False** - - Indicates that the client will not receive or is not configured to receive these updates. - - --- - - Name: **Windows Server Update Service** - - The source is a Windows Server Updates Services server. - - OffersWindowsUpdates: **True** - - The client is configured to receive updates from WSUS - - --- - - Name: **Windows Update** - - The source is Windows Update. - - OffersWindowsUpdates: **True** - - The client is configured to receive updates from Windows Update Online - - --- -  -  See also: From 93ac10dd15eb2c8dff05a7ec8d50a8319f54e81a Mon Sep 17 00:00:00 2001 From: jaimeo Date: Thu, 5 Apr 2018 11:27:54 -0700 Subject: [PATCH 18/29] trying a different layout --- .../update/windows-update-sources.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index 351417d13b..490b2664d9 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -6,7 +6,7 @@ ms.mktglfcycl: ms.sitesec: library author: kaushika-msft ms.localizationpriority: high -ms.author: kaushika +ms.author: jaimeo ms.date: 04/05/2018 --- @@ -16,16 +16,16 @@ Windows 10 devices can receive updates from a variety of sources, including Wind 1. Start Windows PowerShell as an administrator 2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. -3. Run `\$MUSM.Services`. Compare the resulting output to this table: +3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table: + +| Output | Interpretation | +|-----------------------------------------------------|-----------------------------------| +| - Name: **Microsoft Update**
-OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)| +|- Name: **DCat Flighting Prod**
- OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.
- Indicates that the client will not receive or is not configured to receive these updates. | +| - Name: **Windows Store (DCat Prod)**
- OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: **Windows Server Update Service**
- OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS.| +|- Name: **Windows Update**
- OffersWindowsUpdates: **True** |- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.| -| Output | Interpretation | -|-----------------------------------------------|-----------------------------------| -| Name : Microsoft Update
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : True
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe2.update.microsoft.com/v6/
SetupPrefix : mu
IsDefaultAUService : False | - Name: **Microsoft Update** Indicates the source against which we will are checking the Client capability. Microsoft Updates indicates, updates for other Microsoft Products checkbox.
- OffersWindowsUpdates: **True** Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)| -| Name : Microsoft Update
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : True
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 7971f918-a847-4430-9279-4a52d1efe18d
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe2.update.microsoft.com/v6/
SetupPrefix : mu
IsDefaultAUService : False |- Name: **DCat Flighting Prod** The update source is the Windows Insider Program.
- OffersWindowsUpdates: **False** Indicates that the client will not receive or is not configured to receive these updates.| -|Name : DCat Flighting Prod
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : False
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : False
RedirectUrls : System.__ComObject
ServiceID : 8b24b027-1dee-babb-9a95-3517dfb9c552
IsScanPackageService : False
CanRegisterWithAU : False
ServiceUrl: https://fe3.delivery.mp.microsoft.com/
SetupPrefix : wu
IsDefaultAUService : False | - Name: **DCat Flighting Prod** The update source is the Windows Insider Program.
- OffersWindowsUpdates: **False** Indicates that the client will not receive or is not configured to receive these updates. | -|Name : Windows Store (DCat Prod)
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : False
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : False
RedirectUrls : System.__ComObject
ServiceID : 855e8a7c-ecb4-4ca3-b045-1dfa50104289
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe3.delivery.mp.microsoft.com/
SetupPrefix : ws
IsDefaultAUService : False | - Name: **Windows Store (DCat Prod)** The update source is Insider Updates for Store Apps.
- OffersWindowsUpdates: **False** Indicates that the client will not receive or is not configured to receive these updates. | -| Name : Windows Server Update Service
ContentValidationCert : {}
ExpirationDate : 18-Jun-54 9:21:00 PM
IsManaged : True
IsRegisteredWithAU : True
IssueDate : 01-Jan-03 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 3da21691-e39d-4da6-8a4b-b43877bcb1b7
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl :
SetupPrefix :
IsDefaultAUService : True|- Name: **Windows Server Update Service** The source is a Windows Server Updates Services server.
- OffersWindowsUpdates: **True** The client is configured to receive updates from WSUS | -| Name : Windows Update
ContentValidationCert : {}
ExpirationDate :
IsManaged : False
IsRegisteredWithAU : False
IssueDate : 01-Jan-01 12:00:00 AM
OffersWindowsUpdates : True
RedirectUrls : System.__ComObject
ServiceID : 9482f4b4-e343-43b6-b170-9a65bc822c77
IsScanPackageService : False
CanRegisterWithAU : True
ServiceUrl : https://fe2.update.microsoft.com/v6/
SetupPrefix : wu
IsDefaultAUService : False |- Name: **Windows Update** The source is Windows Update.
- OffersWindowsUpdates: **True** The client is configured to receive updates from Windows Update Online | See also: From d0801522fdea7557c3792d5728e9ac49703a1533 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Thu, 5 Apr 2018 12:31:58 -0700 Subject: [PATCH 19/29] tweak to title; wired into TOC --- windows/deployment/TOC.md | 1 + windows/deployment/update/windows-update-sources.md | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 94f70ce62d..3c88941d73 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -230,6 +230,7 @@ ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) +### [Determining the source of Windows updates](update/windows-update-sources.md) ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) #### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index 490b2664d9..c9b0be52ce 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -1,5 +1,5 @@ --- -title: Determining the Windows Update Service source +title: Determining the source of Windows updates description: Determine the source that Windows Update service is currently using. ms.prod: w10 ms.mktglfcycl: @@ -10,7 +10,7 @@ ms.author: jaimeo ms.date: 04/05/2018 --- -# Determining the Windows Update Service source +# Determining the source of Windows updates Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:  From 971c875ff86fafbf37ec84e64de9b2b73a8a934d Mon Sep 17 00:00:00 2001 From: Patti Short Date: Thu, 5 Apr 2018 18:37:30 -0700 Subject: [PATCH 21/29] Updated the voice and tone, plus deleted duplicate content --- browsers/edge/available-policies.md | 66 ++++++++++++++++++----------- 1 file changed, 41 insertions(+), 25 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 65193cad8d..bedff7e283 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: high -ms.date: 09/13/2017 #Previsou release date +ms.date: 4/5/2018 #Previsou release date 09/13/2017 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge @@ -34,8 +34,9 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* +The Address bar drop-down list, when enabled, allows the Address bar drop-down functionality in Microsoft Edge. By default, this policy is enabled. If disabled, you do not see the address bar drop-down functionality and disables the user-defined policy "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this policy takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) policy. -This policy settings specifies whether to allow the address bar drop-down functionality in Microsoft Edge. By default, this setting is enabled. We recommend that you disable this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. If disabled, you do not see the address bar drop-down functionality and also disables the user-defined settting "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) setting. +If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend that you disable this policy. **Microsoft Intune to manage your MDM settings** | | | @@ -44,31 +45,30 @@ This policy settings specifies whether to allow the address bar drop-down functi |Supported devices |Desktop | |URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown | |Data type | Integer | -|Allowed values |
  • **0** - Not Allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
  • **1 (default)** - Allowed. Address bar drop-down is enabled.
| +|Allowed values |
  • **0** - Not Allowed. Address bar drop-down is disabled, which also disables the user-defined policy, "Show search and site suggestions as I type."
  • **1 (default)** - Allowed. Address bar drop-down is enabled.
| ## Allow Adobe Flash >*Supporteded version: Windows 10* - -This policy setting specifies whether Adobe Flash can run in Microsoft Edge. By default, this setting is enabled or not configured, which allows you to use Adobe Flash. +Adobe Flash is integrated with Microsoft Edge and is updated via Windows Update. By default, this policy is enabled or not configured allowing you to use Adobe Flash Player in Microsoft Edge. **Microsoft Intune to manage your MDM settings** | | | |---|---| |MDM name |[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | |Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash | |Data type | Integer | -|Allowed values |
  • **0** - Adobe Flash cannot be used Microsoft Edge.
  • **1 (default)** - Adobe Flash can be used Microsoft Edge.
| +|Allowed values |
  • **0** - Adobe Flash cannot be used Microsoft Edge.
  • **1 (default)** - Adobe Flash can be used in Microsoft Edge.
| ## Allow clearing browsing data on exit >*Supporteded versions: Windows 10, version 1703* +Your browsing data is the information that Microsoft Edge remembers and stores as you browse websites. Browsing data includes information you entered into forms, passwords, and the websites you visited. By default, this policy is disabled or not configured, the browsing data is not cleared when exiting. When this policy is disabled or not configured, you can turn on and configure the Clear browsing data option under Settings. -This policy setting specifies whether to clear browsing data on exiting Microsoft Edge. By default, this setting is disabled or not configured, which means you can turn on and configure Clear browsing data option under Settings. If enabled, browsing history on exit is turned on. -**Microsoft Intune to manage your MDM settings** +**Microsoft Intune to manage your MDM settings** | | | |---|---| |MDM name |[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | @@ -80,7 +80,7 @@ This policy setting specifies whether to clear browsing data on exiting Microsof ## Allow configuration updates for the Books Library >*Supporteded versions: Windows 10* -This policy setting specifies whether Microsoft Edge can automatically update the configuration data for the Books Library. By default, this setting is enabled, which means Microsoft Edge retrieves configuration data for the Books Library. If disabled, Microsoft Edge does not retrieve configuration data. +Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data. **Microsoft Intune to manage your MDM settings** | | | @@ -95,7 +95,7 @@ This policy setting specifies whether Microsoft Edge can automatically update th ## Allow Cortana >*Supported versions: Windows 10, version 1607 or later* -This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows you to use Cortana on your devices. If disabled (not allowed), Cortana is not available for use, but you can use search to find items on your device. +Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you use the voice assistant on your device. If disabled, Cortana is not available for use, but you can search to find items on your device. **Microsoft Intune to manage your MDM settings** | | | @@ -103,14 +103,14 @@ This policy setting specifies whether Cortana is allowed on the device. By defau |MDM name |[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | |Supported devices |Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCortana | -|Location |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana | +|Location |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortana | |Data type | Integer | |Allowed values |
  • **0** - Not allowed.
  • **1 (default)** - Allowed.
| ## Allow Developer Tools >*Supporteded versions: Windows 10, version 1511 or later* -This policy setting specifies whether you can use the F12 Developer Tools on Microsoft Edge. By default, this setting is enabled making the F12 Developer Tools availabe to use. If disabled, the F12 Developer Tools are not available. +F12 developer tools is a suite of tools to help you build and debug your webpage. By default, this policy is enabled making the F12 Developer Tools availabe to use. **Microsoft Intune to manage your MDM settings** | | | @@ -119,12 +119,12 @@ This policy setting specifies whether you can use the F12 Developer Tools on Mic |Supported devices |Desktop | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools | |Data type | Integer | -|Allowed values |
  • **0** - Employees cannot use the F12 Developer Tools./li>
  • **1 (default)** - Employees can use the F12 Developer Tools.
| +|Allowed values |
  • **0** - The F12 Developer Tools are disabled.
  • **1 (default)** - The F12 Developer Tools are enabled.
| ## Allow extended telemetry for the Books tab >*Supporteded versions: Windows 10* -This policy setting allows you to specify how much data to send to Microsoft about the books you are reading from the Books tab in Microsoft Edge. By default, this setting is disabled or not configured, which means Microsoft Edge only sends basic diagnostic data, depending on your device configuration. If enabled, Microsoft Edge sends additional diagnostic data in addition to the basic diagnostic data, from the Books tab. +If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft. **Microsoft Intune to manage your MDM settings** | | | @@ -133,12 +133,12 @@ This policy setting allows you to specify how much data to send to Microsoft abo |Supported devices |Desktop
Mobile | |URI full path | ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry | |Data type | Integer | -|Allowed values |
  • **0 (default)** - Disable. No additional diagnostic data.
  • **1** - Enable. Additional diagnostic data for schools.
| +|Allowed values |
  • **0 (default)** - Disable. Only basic diagnostic data is sent.
  • **1** - Enable. Both Basic and additional diagnostic data is sent.
| ## Allow Extensions >*Supporteded versions: Windows 10, version 1607 or later* -This policy setting specifies whether you can use Edge Extensions. By default, this setting is enabled allowing you to use extensions. If disabled, you cannot use extensions. +If you enable this policy, you can personalize and add new features to Microsoft Edge with extensions. By default, this policy is enabled. If you want to prevent others from installing unwanted extensions, disable this policy. **Microsoft Intune to manage your MDM settings** | | | @@ -147,12 +147,12 @@ This policy setting specifies whether you can use Edge Extensions. By default, |Supported devices |Desktop | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowExtensions | |Data type | Integer | -|Allowed values |
  • **0** - Employees cannot use Edge Extensions.
  • **1 (default)** - Employees can use Edge Extensions.
| +|Allowed values |
  • **0** - Microsoft Edge extensions are disabled.
  • **1 (default)** - Microsoft Edge Extensions are enabled.
| ## Allow InPrivate browsing >*Supporteded versions: Windows 10, version 1511 or later* -This policy setting specifies whether InPrivate browsing is allowed on corporate networks. By default, this setting is enabled allowing you to use InPrivate website browsing. If disabled, you cannot use InPrivate website browsing. +InPrivate browsing, when enabled, prevents your browsing data is not saved on your device. Microsoft Edge deletes temporary data from your device after all your InPrivate tabs are closed. **Microsoft Intune to manage your MDM settings** | | | @@ -161,12 +161,13 @@ This policy setting specifies whether InPrivate browsing is allowed on corporate |Supported devices |Desktop
Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate | |Data type | Integer | -|Allowed values |
  • **0** - Employees cannot use InPrivate browsing.
  • **1 (default)** - Employees can use InPrivate browsing.
| +|Allowed values |
  • **0** - InPrivate browsing is disabled.
  • **1 (default)** - InPrivate browsing is enabled.
| ## Allow Microsoft Compatibility List >*Supporteded versions: Windows 10, version 1703 or later* -This policy setting specifies whether to use the Microsoft compatibility list in Microsoft Edge. The list helps websites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and used during browser navigation. The list can be viewed by visiting "about:compat". By default, this setting is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used. +Microsoft Edge uses the compatibility list that helps websites with known compatibility issues display properly. When enabled, Microsoft Edge checks the list to determine if the website has compatibility issues during browser navigation. By default, this policy is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft compatibility list prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used. + **Microsoft Intune to manage your MDM settings** | | | @@ -175,7 +176,7 @@ This policy setting specifies whether to use the Microsoft compatibility list in |Supported devices |Desktop
Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList | |Data type | Integer | -|Allowed values |
  • **0** - Additional search engines are not allowed and the default cannot be changed in the Address bar.
  • **1 (default)** - Additional search engines are allowed and the default can be changed in the Address bar.
| +|Allowed values |
  • **0** - Disabled. The Microsoft compatibility list is ignored.
  • **1 (default)** - Enabled. The Microsoft compatibility list is periodically update and used during browser navigation.
| ## Allow search engine customization >*Supported versions: Windows 10, version 1703 or later* @@ -298,6 +299,15 @@ You can export a set of favorites from Edge and use that html file for provision |URI full path |./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites | |Data type | String | + + ## Configure Password Manager >*Supported versions: Windows 10* @@ -498,9 +508,15 @@ This policy setting specifies whether you can add, import, sort, or edit the Fav >[!Important] >Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. - + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | +|Data type | Integer | +|Allowed values |
  • **0 (default)** - Disabled. Do not lockdown Favorites.
  • **1** - Enabled. Lockdown Favorites.
| ## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start >*Supported versions: Windows 10, version 1703 or later* From 96e90d2f9f791aa5da738c8e896c9819ac2b7cd3 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Fri, 6 Apr 2018 06:11:38 -0700 Subject: [PATCH 22/29] Updated the voice and tone, plus deleted duplicate content --- browsers/edge/available-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index bedff7e283..3b66180dfe 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -274,6 +274,7 @@ This policy setting specifies whether Do Not Track requests to websites is allow |Data type | Integer | |Allowed values |
  • **0 (default)** - Stops you from sending Do Not Track headers to websites requesting tracking info.
  • **1** - Employees can send Do Not Track headers to websites requesting tracking info.
| + @@ -132,7 +133,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -179,7 +180,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -226,7 +227,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -273,7 +274,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back). > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -322,7 +323,7 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. From 2be1473f345aa96c9d1e7911e51902091651413c Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 6 Apr 2018 22:17:35 +0000 Subject: [PATCH 28/29] Merged PR 7002: LocalPoliciesSecurityOptions in Policy CSP - added new policies --- ...policy-csp-localpoliciessecurityoptions.md | 513 +++++++++++++++++- 1 file changed, 512 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 327397bc54..34c61a2c31 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/16/2018 +ms.date: 04/06/2018 --- # Policy CSP - LocalPoliciesSecurityOptions @@ -51,6 +51,15 @@ ms.date: 03/16/2018
LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
+
+ LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways +
+
+ LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible +
+
+ LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges +
LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -117,6 +126,18 @@ ms.date: 03/16/2018
LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication +
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic +
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic +
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers +
LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
@@ -757,6 +778,220 @@ GP Info:
+ +**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Domain member: Digitally encrypt or sign secure channel data (always) + +This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. + +When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. + +This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: + +Domain member: Digitally encrypt secure channel data (when possible) +Domain member: Digitally sign secure channel data (when possible) + +Default: Enabled. + +Notes: + +If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. +If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. +Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. + + + +GP Info: +- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
+ + +**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Domain member: Digitally encrypt secure channel data (when possible) + +This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. + +When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. + +This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. + +Default: Enabled. + +Important + +There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. + +Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. + + + +GP Info: +- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
+ + +**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Domain member: Disable machine account password changes + +Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. + +Default: Disabled. + +Notes + +This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. +This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. + + + +GP Info: +- GP English name: *Domain member: Disable machine account password changes* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
+ **LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** @@ -2122,6 +2357,282 @@ GP Info:
+ +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. + +If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. + +If you do not configure this policy setting, no exceptions will be applied. + +The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
+ + +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Restrict NTLM: Audit Incoming NTLM Traffic + +This policy setting allows you to audit incoming NTLM traffic. + +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. + +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. + +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
+ + +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Restrict NTLM: Incoming NTLM traffic + +This policy setting allows you to deny or allow incoming NTLM traffic. + +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. + +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. + +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Incoming NTLM traffic* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
+ + +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + +This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. + +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. + +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. + +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
+ **LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** From 71111f56371482fbf2800e6124082dd04bfcb219 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Fri, 6 Apr 2018 15:51:23 -0700 Subject: [PATCH 29/29] removed the commented out content --- browsers/edge/available-policies.md | 681 +--------------------------- 1 file changed, 1 insertion(+), 680 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 3b66180dfe..3766535880 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -27,10 +27,6 @@ Microsoft Edge works with the following Group Policy settings to help you manage Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ - - ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* @@ -274,7 +270,7 @@ This policy setting specifies whether Do Not Track requests to websites is allow |Data type | Integer | |Allowed values |
  • **0 (default)** - Stops you from sending Do Not Track headers to websites requesting tracking info.
  • **1** - Employees can send Do Not Track headers to websites requesting tracking info.
| - ## Configure Password Manager >*Supported versions: Windows 10* @@ -623,674 +612,6 @@ This policy setting specifies whether organizations should use a folder shared a |Data type | Integer | |Allowed values |
  • **0** - No shared folder.
  • **1** - Use as shared folder.
| - ## Related topics * [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)