deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-21 17:57:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'MicrosoftDocs:main' into patch-7

Browse Source
This commit is contained in:
Chris J. Lin 2024-12-02 16:30:16 -08:00 committed by GitHub
commit c980c7ffe2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
69 changed files with 1160 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Microsoft Entra ID
title: Configure Federation Between Google Workspace And Microsoft Entra Id
description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
---
@ -43,10 +43,10 @@ To test federation, the following prerequisites must be met:
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later
1. On the **Service provider detail's** page
1. On the **Service provider detail's** page:
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\
- Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping\
If using Google autoprovisioning, select **Basic Information > Primary email**
- Select **Continue**
1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
@ -139,4 +139,4 @@ From a private browser session, navigate to https://portal.azure.com and sign in
1. The user is redirected to Google Workspace to sign in
1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in
:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::

4
education/windows/edu-stickers.md
View File

@ -1,7 +1,7 @@
---
title: Configure Stickers for Windows 11 SE
title: Configure Stickers For Windows 11 SE
description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>

4
education/windows/edu-themes.md
View File

@ -1,7 +1,7 @@
---
title: Configure education themes for Windows 11
title: Configure Education Themes For Windows 11
description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

52
education/windows/get-minecraft-for-education.md
View File

@ -1,5 +1,5 @@
---
title: Get and deploy Minecraft Education
title: Deploy Minecraft Education To Windows Devices
description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
ms.date: 04/10/2024
@ -48,7 +48,7 @@ To purchase direct licenses:
1. Select the quantity of licenses you'd like to purchase and select **Place Order**
1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses)
### Volume licensing
@ -88,14 +88,14 @@ You must be a *Global*, *License*, or *User admin* to assign licenses. For more
1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
1. From the left-hand menu in Microsoft Admin Center, select *Users*
1. From the Users list, select the users you want to add or remove for Minecraft Education access
1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it is not assigned already
> [!Note]
> If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
> If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions
1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
> [!Note]
> If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
@ -118,31 +118,31 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d
1. Select **Next**
1. On the *Review + Create* screen, select **Create**
Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
For more information how to deploy Minecraft Education, see:
For more information how to deploy Minecraft Education, see:
- [Windows installation guide][EDU-6]
- [Chromebook installation guide][EDU-7]
- [iOS installation guide][EDU-8]
- [macOS installation guide][EDU-9]
- [Windows installation guide][EDU-6]
- [Chromebook installation guide][EDU-7]
- [iOS installation guide][EDU-8]
- [macOS installation guide][EDU-9]
If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
<!--links-->
[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
[EDU-3]: https://www.microsoft.com/education/products/office
[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
<!--links-->
[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
[EDU-3]: https://www.microsoft.com/education/products/office
[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
[AKA-1]: https://aka.ms/minecraftedusupport
[AKA-1]: https://aka.ms/minecraftedusupport

4
education/windows/suspcs/provisioning-package.md
View File

@ -1,7 +1,7 @@
---
title: What's in Set up School PCs provisioning package
title: What's In Set up School PCs Provisioning Package
description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: reference
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

4
education/windows/tutorial-deploy-apps-winse/considerations.md
View File

@ -1,7 +1,7 @@
---
title: Important considerations before deploying apps with managed installer
title: Important Considerations Before Deploying Apps With Managed Installer For Windows 11 SE
description: Learn about important aspects to consider before deploying apps with managed installer.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -1,7 +1,7 @@
---
title: Create policies to enable applications
title: Create Policies To Enable Applications In Windows 11 SE
description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/deploy-apps.md
View File

@ -1,7 +1,7 @@
---
title: Applications deployment considerations
title: Applications Deployment Considerations In Windows 11 SE
description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/deploy-policies.md
View File

@ -1,7 +1,7 @@
---
title: Deploy policies to enable applications
title: Deploy Policies To Enable Applications In Windows 11 SE
description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/index.md
View File

@ -1,7 +1,7 @@
---
title: Deploy applications to Windows 11 SE with Intune
title: Deploy Applications To Windows 11 SE With Intune
description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -1,7 +1,7 @@
---
title: Troubleshoot app deployment issues in Windows SE
title: Troubleshoot App Deployment Issues In Windows Se
description: Troubleshoot common issues when deploying apps to Windows SE devices.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -1,7 +1,7 @@
---
title: Validate the applications deployed to Windows SE devices
title: Validate The Applications Deployed To Windows Se Devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -1,7 +1,7 @@
---
title: AssignedAccess CSP
description: Learn more about the AssignedAccess CSP.
ms.date: 04/10/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -126,7 +126,7 @@ To learn how to configure xml file, see [Create an Assigned Access configuration
<!-- Description-Source-DDF -->
This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`.
Example: `{"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.

8
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -3775,9 +3775,9 @@ Enable this policy to specify when devices receive Microsoft Defender security i
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
| 0 (Default) | Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. |
| 4 | Current Channel (Staged): Same as Current Channel (Broad). |
| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. |
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-AllowedValues-End -->
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Examples-Begin -->

8
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1627,15 +1627,15 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</MSFT:ValueDescription>
<MSFT:ValueDescription>Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).</MSFT:ValueDescription>
<MSFT:ValueDescription>Current Channel (Staged): Same as Current Channel (Broad).</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</MSFT:ValueDescription>
<MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>

4
windows/client-management/mdm/devdetail-csp.md
View File

@ -1,7 +1,7 @@
---
title: DevDetail CSP
description: Learn more about the DevDetail CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -1259,7 +1259,7 @@ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as de
<!-- Device-SwV-Description-Begin -->
<!-- Description-Source-DDF -->
Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
Returns the Windows 10 OS software version in the format `MajorVersion.MinorVersion.BuildNumber.QFEnumber`. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
<!-- Device-SwV-Description-End -->
<!-- Device-SwV-Editable-Begin -->

10
windows/client-management/mdm/dmclient-csp.md
View File

@ -1,7 +1,7 @@
---
title: DMClient CSP
description: Learn more about the DMClient CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -1654,7 +1654,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@ -1694,7 +1694,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->
@ -4311,7 +4311,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@ -4351,7 +4351,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->

8
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement CSP
description: Learn more about the EnterpriseModernAppManagement CSP.
ms.date: 09/11/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -6951,7 +6951,7 @@ Interior node for all managed app setting values.
<!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
<!-- Description-Source-DDF -->
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
<!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
<!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@ -8193,7 +8193,7 @@ This node is only supported in the user context.
<!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
<!-- Description-Source-DDF -->
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
<!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
<!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@ -9495,7 +9495,7 @@ This node is only supported in the user context.
<!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
<!-- Description-Source-DDF -->
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
<!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
<!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->

282
windows/client-management/mdm/personaldataencryption-csp.md
View File

@ -1,7 +1,7 @@
---
title: Personal Data Encryption CSP
description: Learn more about the Personal Data Encryption CSP.
ms.date: 01/18/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -19,7 +19,13 @@ The following list shows the Personal Data Encryption configuration service prov
- ./User/Vendor/MSFT/PDE
- [EnablePersonalDataEncryption](#enablepersonaldataencryption)
- [ProtectFolders](#protectfolders)
- [ProtectDesktop](#protectfoldersprotectdesktop)
- [ProtectDocuments](#protectfoldersprotectdocuments)
- [ProtectPictures](#protectfoldersprotectpictures)
- [Status](#status)
- [FolderProtectionStatus](#statusfolderprotectionstatus)
- [FoldersProtected](#statusfoldersprotected)
- [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
<!-- PDE-Tree-End -->
@ -72,6 +78,191 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
<!-- User-EnablePersonalDataEncryption-End -->
<!-- User-ProtectFolders-Begin -->
## ProtectFolders
<!-- User-ProtectFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-Applicability-End -->
<!-- User-ProtectFolders-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders
```
<!-- User-ProtectFolders-OmaUri-End -->
<!-- User-ProtectFolders-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- User-ProtectFolders-Description-End -->
<!-- User-ProtectFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-Editable-End -->
<!-- User-ProtectFolders-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- User-ProtectFolders-DFProperties-End -->
<!-- User-ProtectFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-Examples-End -->
<!-- User-ProtectFolders-End -->
<!-- User-ProtectFolders-ProtectDesktop-Begin -->
### ProtectFolders/ProtectDesktop
<!-- User-ProtectFolders-ProtectDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-ProtectDesktop-Applicability-End -->
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
```
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDesktop-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable Personal Data Encryption on Desktop folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDesktop-Description-End -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-End -->
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
| 1 | Enable Personal Data Encryption on the folder. |
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-End -->
<!-- User-ProtectFolders-ProtectDesktop-End -->
<!-- User-ProtectFolders-ProtectDocuments-Begin -->
### ProtectFolders/ProtectDocuments
<!-- User-ProtectFolders-ProtectDocuments-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-ProtectDocuments-Applicability-End -->
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
```
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDocuments-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable Personal Data Encryption on Documents folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDocuments-Description-End -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-End -->
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
| 1 | Enable Personal Data Encryption on the folder. |
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-End -->
<!-- User-ProtectFolders-ProtectDocuments-End -->
<!-- User-ProtectFolders-ProtectPictures-Begin -->
### ProtectFolders/ProtectPictures
<!-- User-ProtectFolders-ProtectPictures-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-ProtectPictures-Applicability-End -->
<!-- User-ProtectFolders-ProtectPictures-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
```
<!-- User-ProtectFolders-ProtectPictures-OmaUri-End -->
<!-- User-ProtectFolders-ProtectPictures-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable Personal Data Encryption on Pictures folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectPictures-Description-End -->
<!-- User-ProtectFolders-ProtectPictures-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Editable-End -->
<!-- User-ProtectFolders-ProtectPictures-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- User-ProtectFolders-ProtectPictures-DFProperties-End -->
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
| 1 | Enable Personal Data Encryption on the folder. |
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectPictures-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Examples-End -->
<!-- User-ProtectFolders-ProtectPictures-End -->
<!-- User-Status-Begin -->
## Status
@ -114,6 +305,95 @@ Reports the current status of Personal Data Encryption for the user.
<!-- User-Status-End -->
<!-- User-Status-FolderProtectionStatus-Begin -->
### Status/FolderProtectionStatus
<!-- User-Status-FolderProtectionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-Status-FolderProtectionStatus-Applicability-End -->
<!-- User-Status-FolderProtectionStatus-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
```
<!-- User-Status-FolderProtectionStatus-OmaUri-End -->
<!-- User-Status-FolderProtectionStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports folder protection status for a user.
<!-- User-Status-FolderProtectionStatus-Description-End -->
<!-- User-Status-FolderProtectionStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Editable-End -->
<!-- User-Status-FolderProtectionStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get |
<!-- User-Status-FolderProtectionStatus-DFProperties-End -->
<!-- User-Status-FolderProtectionStatus-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Protection not started. |
| 1 | Protection is completed with no failures. |
| 2 | Protection in progress. |
| 3 | Protection failed. |
<!-- User-Status-FolderProtectionStatus-AllowedValues-End -->
<!-- User-Status-FolderProtectionStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Examples-End -->
<!-- User-Status-FolderProtectionStatus-End -->
<!-- User-Status-FoldersProtected-Begin -->
### Status/FoldersProtected
<!-- User-Status-FoldersProtected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-Status-FoldersProtected-Applicability-End -->
<!-- User-Status-FoldersProtected-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FoldersProtected
```
<!-- User-Status-FoldersProtected-OmaUri-End -->
<!-- User-Status-FoldersProtected-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports all folders (full path to each folder) that have been protected.
<!-- User-Status-FoldersProtected-Description-End -->
<!-- User-Status-FoldersProtected-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Editable-End -->
<!-- User-Status-FoldersProtected-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- User-Status-FoldersProtected-DFProperties-End -->
<!-- User-Status-FoldersProtected-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Examples-End -->
<!-- User-Status-FoldersProtected-End -->
<!-- User-Status-PersonalDataEncryptionStatus-Begin -->
### Status/PersonalDataEncryptionStatus

245
windows/client-management/mdm/personaldataencryption-ddf-file.md
View File

@ -1,14 +1,14 @@
---
title: PDE DDF file
description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
ms.date: 06/28/2024
title: Personal Data Encryption DDF file
description: View the XML file containing the device description framework (DDF) for the Personal Data Encryption configuration service provider.
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
# PDE DDF file
# Personal Data Encryption DDF file
The following XML file contains the device description framework (DDF) for the PDE configuration service provider.
The following XML file contains the device description framework (DDF) for the Personal Data Encryption configuration service provider.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -76,6 +76,171 @@ The following XML file contains the device description framework (DDF) for the P
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectFolders</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>ProtectDocuments</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectDesktop</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectPictures</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
@ -116,6 +281,74 @@ The following XML file contains the device description framework (DDF) for the P
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FolderProtectionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports folder protection status for a user. </Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Protection not started.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Protection is completed with no failures.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Protection in progress.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Protection failed.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>FoldersProtected</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports all folders (full path to each folder) that have been protected.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
@ -123,4 +356,4 @@ The following XML file contains the device description framework (DDF) for the P
## Related articles
[PDE configuration service provider reference](personaldataencryption-csp.md)
[Personal Data Encryption configuration service provider reference](personaldataencryption-csp.md)

4
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -1,7 +1,7 @@
---
title: Policies supported by Windows 10 Team
description: Learn about the policies supported by Windows 10 Team.
ms.date: 11/05/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -382,8 +382,10 @@ This article lists the policies that are applicable for the Surface Hub operatin
## Start
- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
- [StartLayout](policy-csp-start.md#startlayout)
- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
## System

15
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 11/22/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -62,6 +62,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## Display
- [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
- [SetClonePreferredResolutionSource](policy-csp-display.md#setclonepreferredresolutionsource)
## DMClient CSP
@ -106,6 +107,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
- [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
## NewsAndInterests
- [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen)
## PassportForWork CSP
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
@ -118,6 +123,11 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
## Start
- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
## SurfaceHub CSP
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
@ -137,14 +147,13 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
- [DisableAIDataAnalysis](policy-csp-windowsai.md#disableaidataanalysis)
- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)
- [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement)
## WindowsLicensing CSP

6
windows/client-management/mdm/policy-csp-admx-bits.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Bits Policy CSP
description: Learn more about the ADMX_Bits Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -348,7 +348,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule.
You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
- If you disable or don't configure this policy setting, the limits defined for work or nonwork schedules will be used.
@ -412,7 +412,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
- If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
<!-- BITS_MaxBandwidthV2_Work-Description-End -->

6
windows/client-management/mdm/policy-csp-admx-controlpanel.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_ControlPanel Policy CSP
description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -36,7 +36,7 @@ This setting allows you to display or hide specified Control Panel items, such a
If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items".
@ -243,7 +243,7 @@ If users try to select a Control Panel item from the Properties item on a contex
<!-- Description-Source-ADMX -->
This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".

4
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_ControlPanelDisplay Policy CSP
description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -519,7 +519,7 @@ Prevents users from changing the background image shown when the machine is lock
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
If you enable this setting, the user won't be able to change their lock screen and logon image, and they will instead see the default image.
If you enable this setting, the user won't be able to change their lock screen and logon image, and they'll instead see the default image.
<!-- CPL_Personalization_NoChangingLockScreen-Description-End -->
<!-- CPL_Personalization_NoChangingLockScreen-Editable-Begin -->

14
windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DiskDiagnostic Policy CSP
description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 08/06/2024
<!-- DfdAlertPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault.
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
@ -97,15 +97,15 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set
<!-- WdiScenarioExecutionPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics.
This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics.
Self-Monitoring And Reporting Technology (S. M. A. R. T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur.
Self-Monitoring And Reporting Technology (S.M.A.R.T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss.
- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken.
- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
- If you don't configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default.
- If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.

6
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DnsClient Policy CSP
description: Learn more about the ADMX_DnsClient Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -602,11 +602,11 @@ You can use this policy setting to prevent users, including local administrators
<!-- Description-Source-ADMX -->
Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: `mycomputer.microsoft.com`.
- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for `mycomputer.VPNconnection` and `mycomputer.microsoft.com` when this policy setting is enabled.
> [!IMPORTANT]
> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.

4
windows/client-management/mdm/policy-csp-admx-explorer.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Explorer Policy CSP
description: Learn more about the ADMX_Explorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -120,7 +120,7 @@ This policy setting configures File Explorer to always display the menu bar.
| Name | Value |
|:--|:--|
| Name | AlwaysShowClassicMenu |
| Friendly Name | Display the menu bar in File Explorer |
| Friendly Name | Display the menu bar in File Explorer |
| Location | User Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |

4
windows/client-management/mdm/policy-csp-admx-filerevocation.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_FileRevocation Policy CSP
description: Learn more about the ADMX_FileRevocation Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -36,7 +36,7 @@ Windows Runtime applications can protect content which has been associated with
Example value:
Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy.
`Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy`
- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.

4
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_FileSys Policy CSP
description: Learn more about the ADMX_FileSys Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -317,7 +317,7 @@ Enabling Win32 long paths will allow manifested win32 applications and packaged
<!-- Description-Source-ADMX -->
These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they'll never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
<!-- ShortNameCreationSettings-Description-End -->
<!-- ShortNameCreationSettings-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-admx-globalization.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Globalization Policy CSP
description: Learn more about the ADMX_Globalization Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -638,7 +638,7 @@ This policy setting is related to the "Turn off handwriting personalization" pol
<!-- LocaleSystemRestrict-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list.
The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
@ -1097,7 +1097,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
@ -1166,7 +1166,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.

8
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -2938,7 +2938,7 @@ This policy setting allows you to manage whether or not end users can pause a sc
<!-- Scan_ArchiveMaxDepth-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0.
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
- If you enable this setting, archive files will be scanned to the directory depth level specified.
@ -2997,7 +2997,7 @@ This policy setting allows you to configure the maximum directory depth level in
<!-- Scan_ArchiveMaxSize-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
- If you enable this setting, archive files less than or equal to the size specified will be scanned.
@ -3056,7 +3056,7 @@ This policy setting allows you to configure the maximum size of archive files su
<!-- Scan_DisableArchiveScanning-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.

6
windows/client-management/mdm/policy-csp-admx-offlinefiles.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_OfflineFiles Policy CSP
description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -352,7 +352,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s
<!-- Description-Source-ADMX -->
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
@ -413,7 +413,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!-- Description-Source-ADMX -->
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.

4
windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_UserExperienceVirtualization Policy CSP
description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -7541,7 +7541,7 @@ This policy setting configures where custom settings location templates are stor
- If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored.
If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they'll be ignored.
If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used.

4
windows/client-management/mdm/policy-csp-admx-userprofiles.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_UserProfiles Policy CSP
description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -157,7 +157,7 @@ This policy setting controls whether Windows forcefully unloads the user's regis
<!-- Description-Source-ADMX -->
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
- If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.

4
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -4468,7 +4468,7 @@ Shows or hides sleep from the power options menu.
<!-- TryHarderPinnedLibrary-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file.
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the `.Library-ms or .searchConnector-ms` file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified `.Library-ms or .searchConnector-ms` file.
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.

8
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -371,7 +371,7 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st
<!-- Description-Source-ADMX -->
Manages a Windows app's ability to share data between users who have installed the app.
- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API.
- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the `Windows.Storage` API.
- If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder.
<!-- AllowSharedUserAppData-Description-End -->
@ -629,7 +629,7 @@ Disable turns off the launch of all apps from the Microsoft Store that came pre-
| Name | Value |
|:--|:--|
| Name | DisableStoreApps |
| Friendly Name | Disable all apps from Microsoft Store |
| Friendly Name | Disable all apps from Microsoft Store |
| Location | Computer Configuration |
| Path | Windows Components > Store |
| Registry Key Name | Software\Policies\Microsoft\WindowsStore |
@ -867,7 +867,7 @@ This policy setting directs Windows Installer to use elevated permissions when i
<!-- Description-Source-ADMX -->
Denies access to the retail catalog in the Microsoft Store, but displays the private store.
- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store.
- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they'll be able to view apps in the private store.
- If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store.
<!-- RequirePrivateStoreOnly-Description-End -->

4
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -1,7 +1,7 @@
---
title: AttachmentManager Policy CSP
description: Learn more about the AttachmentManager Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -154,7 +154,7 @@ This policy setting allows you to manage whether users can manually remove the z
<!-- NotifyAntivirusPrograms-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
- If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.

8
windows/client-management/mdm/policy-csp-bits.md
View File

@ -1,7 +1,7 @@
---
title: BITS Policy CSP
description: Learn more about the BITS Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 01/18/2024
<!-- Description-Source-ADMX -->
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@ -98,7 +98,7 @@ Consider using this setting to prevent BITS transfers from competing for network
<!-- Description-Source-ADMX -->
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@ -164,7 +164,7 @@ Consider using this setting to prevent BITS transfers from competing for network
<!-- Description-Source-ADMX -->
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1,7 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -30,7 +30,7 @@ ms.date: 09/27/2024
<!-- AllowArchiveScanning-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.

66
windows/client-management/mdm/policy-csp-display.md
View File

@ -1,7 +1,7 @@
---
title: Display Policy CSP
description: Learn more about the Display Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 11/05/2024
<!-- ConfigureMultipleDisplayMode-Description-Begin -->
<!-- Description-Source-DDF -->
This policy set the default display to set the arrangement between cloning or extending.
This policy sets the default display arrangement to pick between clone or extend.
<!-- ConfigureMultipleDisplayMode-Description-End -->
<!-- ConfigureMultipleDisplayMode-Editable-Begin -->
@ -66,7 +66,7 @@ This policy set the default display to set the arrangement between cloning or ex
|:--|:--|
| Name | ConfigureMultipleDisplayMode |
| Path | Display > AT > System > DisplayCat |
| Element Name | ConfigureMultipleDisplayModePrompt |
| Element Name | DisplayConfigureMultipleDisplayModeSettings |
<!-- ConfigureMultipleDisplayMode-GpMapping-End -->
<!-- ConfigureMultipleDisplayMode-Examples-Begin -->
@ -298,6 +298,66 @@ Enabling this setting lets you specify the system-wide default for desktop appli
<!-- EnablePerProcessDpiForApps-End -->
<!-- SetClonePreferredResolutionSource-Begin -->
## SetClonePreferredResolutionSource
<!-- SetClonePreferredResolutionSource-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetClonePreferredResolutionSource-Applicability-End -->
<!-- SetClonePreferredResolutionSource-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Display/SetClonePreferredResolutionSource
```
<!-- SetClonePreferredResolutionSource-OmaUri-End -->
<!-- SetClonePreferredResolutionSource-Description-Begin -->
<!-- Description-Source-DDF -->
This policy sets the cloned monitor preferred resolution source to an internal or external monitor by default.
<!-- SetClonePreferredResolutionSource-Description-End -->
<!-- SetClonePreferredResolutionSource-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetClonePreferredResolutionSource-Editable-End -->
<!-- SetClonePreferredResolutionSource-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- SetClonePreferredResolutionSource-DFProperties-End -->
<!-- SetClonePreferredResolutionSource-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Default. |
| 1 (Default) | Internal. |
| 2 | External. |
<!-- SetClonePreferredResolutionSource-AllowedValues-End -->
<!-- SetClonePreferredResolutionSource-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetClonePreferredResolutionSource |
| Path | Display > AT > System > DisplayCat |
| Element Name | DisplaySetClonePreferredResolutionSourceSettings |
<!-- SetClonePreferredResolutionSource-GpMapping-End -->
<!-- SetClonePreferredResolutionSource-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetClonePreferredResolutionSource-Examples-End -->
<!-- SetClonePreferredResolutionSource-End -->
<!-- TurnOffGdiDPIScalingForApps-Begin -->
## TurnOffGdiDPIScalingForApps

38
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -2472,11 +2472,11 @@ This policy setting determines whether Internet Explorer requires that all file-
<!-- DisableActiveXVersionListAutoDownload-Description-Begin -->
<!-- Description-Source-ADMX -->
This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
- If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.
- If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML.
For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
<!-- DisableActiveXVersionListAutoDownload-Description-End -->
@ -4429,7 +4429,7 @@ This policy setting allows you to manage a list of domains on which Internet Exp
- If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
2. "hostname". For example, if you want to include https://example, use "example".
3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".
@ -5272,7 +5272,7 @@ This policy setting allows you to manage the loading of Extensible Application M
<!-- InternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -6825,7 +6825,7 @@ This policy setting allows you to manage the opening of windows and frames and a
<!-- InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@ -7337,7 +7337,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- IntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -8410,7 +8410,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -9325,7 +9325,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownInternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -10174,7 +10174,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownIntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -10883,7 +10883,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -11662,7 +11662,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -12441,7 +12441,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -13373,7 +13373,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
| Name | Value |
|:--|:--|
| Name | VerMgmtDisableRunThisTime |
| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
| Location | Computer and User Configuration |
| Path | Windows Components > Internet Explorer > Security Features > Add-on Management |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext |
@ -14307,7 +14307,7 @@ This policy setting allows you to manage whether a user's browser can be redirec
<!-- RestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -15862,7 +15862,7 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t
<!-- RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@ -16472,7 +16472,7 @@ Also, see the "Security zones: Don't allow users to change policies" policy.
| Name | Value |
|:--|:--|
| Name | Security_HKLM_only |
| Friendly Name | Security Zones: Use only machine settings |
| Friendly Name | Security Zones: Use only machine settings |
| Location | Computer Configuration |
| Path | Windows Components > Internet Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
@ -16981,7 +16981,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- TrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

4
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -1,7 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -139,7 +139,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us
<!-- AllowLaunchUriInSingleAppKiosk-Description-Begin -->
<!-- Description-Source-DDF -->
By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
By default, launching applications via Launcher API is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
<!-- AllowLaunchUriInSingleAppKiosk-Description-End -->
<!-- AllowLaunchUriInSingleAppKiosk-Editable-Begin -->

62
windows/client-management/mdm/policy-csp-newsandinterests.md
View File

@ -1,7 +1,7 @@
---
title: NewsAndInterests Policy CSP
description: Learn more about the NewsAndInterests Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- NewsAndInterests-Begin -->
# Policy CSP - NewsAndInterests
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- NewsAndInterests-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NewsAndInterests-Editable-End -->
@ -82,6 +84,64 @@ This policy applies to the entire widgets experience, including content on the t
<!-- AllowNewsAndInterests-End -->
<!-- DisableWidgetsOnLockScreen-Begin -->
## DisableWidgetsOnLockScreen
<!-- DisableWidgetsOnLockScreen-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableWidgetsOnLockScreen-Applicability-End -->
<!-- DisableWidgetsOnLockScreen-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsOnLockScreen
```
<!-- DisableWidgetsOnLockScreen-OmaUri-End -->
<!-- DisableWidgetsOnLockScreen-Description-Begin -->
<!-- Description-Source-DDF -->
Disable widgets on lock screen.
<!-- DisableWidgetsOnLockScreen-Description-End -->
<!-- DisableWidgetsOnLockScreen-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableWidgetsOnLockScreen-Editable-End -->
<!-- DisableWidgetsOnLockScreen-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableWidgetsOnLockScreen-DFProperties-End -->
<!-- DisableWidgetsOnLockScreen-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enabled. |
| 1 | Disabled. |
<!-- DisableWidgetsOnLockScreen-AllowedValues-End -->
<!-- DisableWidgetsOnLockScreen-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableWidgetsOnLockScreen |
| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
<!-- DisableWidgetsOnLockScreen-GpMapping-End -->
<!-- DisableWidgetsOnLockScreen-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableWidgetsOnLockScreen-Examples-End -->
<!-- DisableWidgetsOnLockScreen-End -->
<!-- NewsAndInterests-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- NewsAndInterests-CspMoreInfo-End -->

4
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -1,7 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -197,7 +197,7 @@ This policy applies only when using legacy authentication to authenticate to the
| Name | Value |
|:--|:--|
| Name | TS_DISCONNECT_ON_LOCK_POLICY |
| Friendly Name | Disconnect remote session on lock for legacy authentication |
| Friendly Name | Disconnect remote session on lock for legacy authentication |
| Location | Computer Configuration |
| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |

6
windows/client-management/mdm/policy-csp-remoteprocedurecall.md
View File

@ -1,7 +1,7 @@
---
title: RemoteProcedureCall Policy CSP
description: Learn more about the RemoteProcedureCall Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -105,11 +105,11 @@ This policy setting impacts all RPC applications. In a domain environment this p
<!-- Description-Source-ADMX -->
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
> [!NOTE]
> This policy won't be applied until the system is rebooted.

118
windows/client-management/mdm/policy-csp-start.md
View File

@ -1,7 +1,7 @@
---
title: Start Policy CSP
description: Learn more about the Start Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 08/06/2024
<!-- Start-Begin -->
# Policy CSP - Start
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Start-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Start-Editable-End -->
@ -513,6 +515,63 @@ This policy controls the visibility of the Videos shortcut on the Start menu. Th
<!-- AllowPinnedFolderVideos-End -->
<!-- AlwaysShowNotificationIcon-Begin -->
## AlwaysShowNotificationIcon
<!-- AlwaysShowNotificationIcon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AlwaysShowNotificationIcon-Applicability-End -->
<!-- AlwaysShowNotificationIcon-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Start/AlwaysShowNotificationIcon
```
<!-- AlwaysShowNotificationIcon-OmaUri-End -->
<!-- AlwaysShowNotificationIcon-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- AlwaysShowNotificationIcon-Description-End -->
<!-- AlwaysShowNotificationIcon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysShowNotificationIcon-Editable-End -->
<!-- AlwaysShowNotificationIcon-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AlwaysShowNotificationIcon-DFProperties-End -->
<!-- AlwaysShowNotificationIcon-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Auto-hide notification bell icon. |
| 1 | Show notification bell icon. |
<!-- AlwaysShowNotificationIcon-AllowedValues-End -->
<!-- AlwaysShowNotificationIcon-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysShowNotificationIcon |
| Path | Taskbar > AT > StartMenu |
<!-- AlwaysShowNotificationIcon-GpMapping-End -->
<!-- AlwaysShowNotificationIcon-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysShowNotificationIcon-Examples-End -->
<!-- AlwaysShowNotificationIcon-End -->
<!-- ConfigureStartPins-Begin -->
## ConfigureStartPins
@ -2247,6 +2306,63 @@ For more information on how to customize the Start layout, see [Customize the St
<!-- StartLayout-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Begin -->
## TurnOffAbbreviatedDateTimeFormat
<!-- TurnOffAbbreviatedDateTimeFormat-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- TurnOffAbbreviatedDateTimeFormat-Applicability-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Start/TurnOffAbbreviatedDateTimeFormat
```
<!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- TurnOffAbbreviatedDateTimeFormat-Description-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffAbbreviatedDateTimeFormat-Editable-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Show abbreviated time and date format. |
| 1 | Show classic time and date format. |
<!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | TurnOffAbbreviatedDateTimeFormat |
| Path | Taskbar > AT > StartMenu |
<!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffAbbreviatedDateTimeFormat-Examples-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-End -->
<!-- Start-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Start-CspMoreInfo-End -->

4
windows/client-management/mdm/policy-csp-sudo.md
View File

@ -1,7 +1,7 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -19,7 +19,7 @@ ms.date: 09/27/2024
<!-- EnableSudo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSudo-Applicability-End -->
<!-- EnableSudo-OmaUri-Begin -->

8
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2522,7 +2522,7 @@ Minimum number of days from update installation until restarts occur automatical
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
@ -2601,7 +2601,7 @@ This policy will override the following policies:
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
@ -3237,7 +3237,7 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallTime-Description-Begin -->
<!-- Description-Source-DDF -->
the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
Enables the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
<!-- ScheduledInstallTime-Description-End -->
<!-- ScheduledInstallTime-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -1,7 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -308,7 +308,7 @@ This policy setting determines whether Enhanced Phishing Protection in Microsoft
- If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
- If you don't configure this setting, users can decide whether or not they'll enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
<!-- ServiceEnabled-Description-End -->
<!-- ServiceEnabled-Editable-Begin -->

79
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 11/22/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -38,7 +38,7 @@ This policy setting allows you to determine whether the Recall optional componen
- If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart.
- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users are able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
<!-- AllowRecallEnablement-Description-End -->
<!-- AllowRecallEnablement-Editable-Begin -->
@ -90,7 +90,7 @@ This policy setting allows you to determine whether the Recall optional componen
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
@ -219,6 +219,68 @@ This policy setting allows you to control whether Cocreator functionality is dis
<!-- DisableCocreator-End -->
<!-- DisableGenerativeFill-Begin -->
## DisableGenerativeFill
<!-- DisableGenerativeFill-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableGenerativeFill-Applicability-End -->
<!-- DisableGenerativeFill-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableGenerativeFill
```
<!-- DisableGenerativeFill-OmaUri-End -->
<!-- DisableGenerativeFill-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to control whether generative fill functionality is disabled in the Windows Paint app.
- If this policy is enabled, generative fill functionality won't be accessible in the Paint app.
- If this policy is disabled or not configured, users will be able to access generative fill functionality.
<!-- DisableGenerativeFill-Description-End -->
<!-- DisableGenerativeFill-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableGenerativeFill-Editable-End -->
<!-- DisableGenerativeFill-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableGenerativeFill-DFProperties-End -->
<!-- DisableGenerativeFill-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Generative fill is enabled. |
| 1 | Generative fill is disabled. |
<!-- DisableGenerativeFill-AllowedValues-End -->
<!-- DisableGenerativeFill-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableGenerativeFill |
| Path | WindowsAI > AT > WindowsComponents > Paint |
<!-- DisableGenerativeFill-GpMapping-End -->
<!-- DisableGenerativeFill-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableGenerativeFill-Examples-End -->
<!-- DisableGenerativeFill-End -->
<!-- DisableImageCreator-Begin -->
## DisableImageCreator
@ -287,7 +349,7 @@ This policy setting allows you to control whether Image Creator functionality is
<!-- SetCopilotHardwareKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5044380](https://support.microsoft.com/help/5044380) [10.0.22621.4391] and later |
<!-- SetCopilotHardwareKey-Applicability-End -->
<!-- SetCopilotHardwareKey-OmaUri-Begin -->
@ -360,7 +422,7 @@ This policy setting determines which app opens when the user presses the Copilot
<!-- Description-Source-ADMX -->
This policy allows you to define a list of apps that won't be included in snapshots for Recall.
Users are able to add additional applications to exclude from snapshots using Recall settings.
Users will be able to add additional applications to exclude from snapshots using Recall settings.
The list can include Application User Model IDs (AUMID) or name of the executable file.
@ -429,7 +491,7 @@ For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
<!-- Description-Source-ADMX -->
This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs.
For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`.
For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`.
@ -628,6 +690,9 @@ When this setting isn't configured, the OS configures the storage allocation for
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- TurnOffWindowsCopilot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
@ -646,7 +711,7 @@ This policy setting allows you to turn off Windows Copilot.
- If you enable this policy setting, users won't be able to use Copilot. The Copilot icon won't appear on the taskbar either.
- If you disable or don't configure this policy setting, users are able to use Copilot when it's available to them.
- If you disable or don't configure this policy setting, users will be able to use Copilot when it's available to them.
<!-- TurnOffWindowsCopilot-Description-End -->
<!-- TurnOffWindowsCopilot-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -1,7 +1,7 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -349,7 +349,7 @@ This policy setting allows you to control whether users see the first sign-in an
| Name | Value |
|:--|:--|
| Name | EnableFirstLogonAnimation |
| Friendly Name | Show first sign-in animation |
| Friendly Name | Show first sign-in animation |
| Location | Computer Configuration |
| Path | System > Logon |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |

94
windows/client-management/mdm/policy-csp-windowssandbox.md
View File

@ -1,7 +1,7 @@
---
title: WindowsSandbox Policy CSP
description: Learn more about the WindowsSandbox Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -19,7 +19,7 @@ ms.date: 09/27/2024
<!-- AllowAudioInput-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowAudioInput-Applicability-End -->
<!-- AllowAudioInput-OmaUri-Begin -->
@ -54,10 +54,18 @@ Note that there may be security implications of exposing host audio input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowAudioInput-DFProperties-End -->
<!-- AllowAudioInput-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowAudioInput-AllowedValues-End -->
<!-- AllowAudioInput-GpMapping-Begin -->
**Group policy mapping**:
@ -84,7 +92,7 @@ Note that there may be security implications of exposing host audio input to the
<!-- AllowClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowClipboardRedirection-Applicability-End -->
<!-- AllowClipboardRedirection-OmaUri-Begin -->
@ -117,10 +125,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowClipboardRedirection-DFProperties-End -->
<!-- AllowClipboardRedirection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowClipboardRedirection-AllowedValues-End -->
<!-- AllowClipboardRedirection-GpMapping-Begin -->
**Group policy mapping**:
@ -182,10 +198,18 @@ Note that there may be security implications of exposing folders from the host i
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowMappedFolders-DFProperties-End -->
<!-- AllowMappedFolders-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowMappedFolders-AllowedValues-End -->
<!-- AllowMappedFolders-GpMapping-Begin -->
**Group policy mapping**:
@ -212,7 +236,7 @@ Note that there may be security implications of exposing folders from the host i
<!-- AllowNetworking-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowNetworking-Applicability-End -->
<!-- AllowNetworking-OmaUri-Begin -->
@ -247,10 +271,18 @@ Note that enabling networking can expose untrusted applications to the internal
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowNetworking-DFProperties-End -->
<!-- AllowNetworking-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowNetworking-AllowedValues-End -->
<!-- AllowNetworking-GpMapping-Begin -->
**Group policy mapping**:
@ -277,7 +309,7 @@ Note that enabling networking can expose untrusted applications to the internal
<!-- AllowPrinterRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowPrinterRedirection-Applicability-End -->
<!-- AllowPrinterRedirection-OmaUri-Begin -->
@ -310,10 +342,18 @@ This policy setting enables or disables printer sharing from the host into the S
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowPrinterRedirection-DFProperties-End -->
<!-- AllowPrinterRedirection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowPrinterRedirection-AllowedValues-End -->
<!-- AllowPrinterRedirection-GpMapping-Begin -->
**Group policy mapping**:
@ -340,7 +380,7 @@ This policy setting enables or disables printer sharing from the host into the S
<!-- AllowVGPU-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowVGPU-Applicability-End -->
<!-- AllowVGPU-OmaUri-Begin -->
@ -375,10 +415,18 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowVGPU-DFProperties-End -->
<!-- AllowVGPU-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowVGPU-AllowedValues-End -->
<!-- AllowVGPU-GpMapping-Begin -->
**Group policy mapping**:
@ -405,7 +453,7 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
<!-- AllowVideoInput-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowVideoInput-Applicability-End -->
<!-- AllowVideoInput-OmaUri-Begin -->
@ -440,10 +488,18 @@ Note that there may be security implications of exposing host video input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowVideoInput-DFProperties-End -->
<!-- AllowVideoInput-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowVideoInput-AllowedValues-End -->
<!-- AllowVideoInput-GpMapping-Begin -->
**Group policy mapping**:
@ -505,11 +561,19 @@ Note that there may be security implications of exposing folders from the host i
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- AllowWriteToMappedFolders-DFProperties-End -->
<!-- AllowWriteToMappedFolders-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowWriteToMappedFolders-AllowedValues-End -->
<!-- AllowWriteToMappedFolders-GpMapping-Begin -->
**Group policy mapping**:

4
windows/client-management/mdm/supl-csp.md
View File

@ -1,7 +1,7 @@
---
title: SUPL CSP
description: Learn more about the SUPL CSP.
ms.date: 01/18/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -289,7 +289,7 @@ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-on
<!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-Begin -->
<!-- Description-Source-DDF -->
Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
Optional. Determines the full version (`X.Y.Z` where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
<!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-End -->
<!-- Device-SUPL1-Ext-Microsoft-FullVersion-Editable-Begin -->

4
windows/configuration/start/index.md
View File

@ -1,8 +1,8 @@
---
title: Configure the Start menu
title: Configure The Windows Start Menu With Policy Settings
description: Learn how to configure the Windows Start menu to provide quick access to the tools and applications that users need most.
ms.topic: overview
ms.date: 04/10/2024
ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
ms.collection:
- essentials-manage

4
windows/configuration/start/layout.md
View File

@ -1,8 +1,8 @@
---
title: Customize the Start layout
title: Customize The Start Layout For Managed Windows Devices
description: Learn how to customize the Windows Start layout, export its configuration, and deploy the customization to other devices.
ms.topic: how-to
ms.date: 04/10/2024
ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
appliesto:
---

2
windows/configuration/start/xsd.md
View File

@ -2,7 +2,7 @@
title: Start XML Schema Definition (XSD)
description: Start XSD reference article.
ms.topic: reference
ms.date: 04/10/2024
ms.date: 12/02/2024
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
---

4
windows/configuration/store/index.md
View File

@ -1,8 +1,8 @@
---
title: Configure access to the Microsoft Store app
title: Configure Access To The Microsoft Store App For Windows Devices
description: Learn how to configure access to the Microsoft Store app.
ms.topic: how-to
ms.date: 03/13/2024
ms.date: 12/02/2024
---
# Configure access to the Microsoft Store app

24
windows/deployment/mbr-to-gpt.md
View File

@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.service: windows-client
author: frankroj
ms.author: frankroj
ms.date: 11/16/2023
ms.date: 11/26/2024
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@ -29,10 +29,10 @@ See the following video for a detailed description and demonstration of MBR2GPT.
> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o]
You can use MBR2GPT to:
MBR2GPT can be used to:
- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
- Convert any attached MBR-formatted system disk to the GPT partition format. The tool can't be used to convert non-system disks from MBR to GPT.
- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, the existing protectors need to be deleted and then recreated.
- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
@ -41,7 +41,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s
>
> After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
>
> Make sure that your device supports UEFI before attempting to convert the disk.
> Make sure the device supports UEFI before attempting to convert the disk.
## Disk Prerequisites
@ -93,7 +93,7 @@ MBR2GPT: Validation completed successfully
In the following example:
1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
1. Using DiskPart the current disk partition layout is displayed before the conversion. Three partitions are present on the MBR disk (disk 0):
- A system reserved partition.
- A Windows partition.
@ -110,7 +110,7 @@ In the following example:
1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
As noted in the output from the MBR2GPT tool, changes to the computer firmware need to be made so that the new EFI system partition boots properly.
<br>
<details>
@ -267,7 +267,7 @@ If the existing MBR system partition isn't reused for the EFI system partition,
> [!IMPORTANT]
>
> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
> If the existing MBR system partition isn't reused for the EFI system partition, it might be assigned a drive letter. If this small partition isn't going to be used, its drive letter must be manually hidden.
### Partition type mapping and partition attributes
@ -290,11 +290,11 @@ For more information about partition types, see:
### Persisting drive letter assignments
The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that correct assignment of the drive letter can be manually performed.
> [!IMPORTANT]
>
> This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
> This code runs after the layout conversion takes place, so the operation can't be undone at this stage.
The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following:
@ -398,7 +398,7 @@ The partition type can be determined in one of three ways:
#### Windows PowerShell
You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type:
The following command can be entered at a Windows PowerShell prompt to display the disk number and partition type:
```powershell
Get-Disk | ft -Auto
@ -417,7 +417,7 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To
#### Disk Management tool
You can view the partition type of a disk by using the Disk Management tool:
The partition type of a disk can be viewed by using the Disk Management tool:
1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**.

10
windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
View File

@ -36,7 +36,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios:
### Device readiness checks available for each scenario
| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) |
| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker) |
| ----- | ----- |
| <ul><li>Windows OS (build, architecture, and edition)</li></li><li>Managed by either Intune or ConfigMgr co-management</li><li>ConfigMgr co-management workloads</li><li>Last communication with Intune</li><li>Personal or non-Windows devices</li></ul> | <ul><li>Windows OS (build, architecture, and edition)</li><li>Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict</li><li>Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)</li><li>Internet connectivity</li></ul> |
@ -66,7 +66,7 @@ A healthy or active device in Windows Autopatch is:
- Actively sending data
- Passes all post-device registration readiness checks
The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** are subcomponents of the overall Windows Autopatch service.
The following list of post-device registration readiness checks is performed in Windows Autopatch:
@ -90,8 +90,8 @@ See the following diagram for the post-device registration readiness checks work
| Step | Description |
| ----- | ----- |
| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
| **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
| **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker agents perform readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
| **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show in the **Ready** tab. |
@ -99,7 +99,7 @@ See the following diagram for the post-device registration readiness checks work
| Question | Answer |
| ----- | ----- |
| **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.</li><li>The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
| **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** agents collect device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service.</li><li>The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch provides information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to appear in the **Ready** tab.</p>|
## Additional resources

4
windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
View File

@ -87,7 +87,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Microsoft Edge update policies
> [!IMPORTANT]
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
- Windows Autopatch - Edge Update Channel Stable
- Windows Autopatch - Edge Update Channel Beta
@ -100,7 +100,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Driver updates for Windows 10 and later
> [!IMPORTANT]
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
- Windows Autopatch - Driver Update Policy [Test]
- Windows Autopatch - Driver Update Policy [First]

4
windows/security/identity-protection/enterprise-certificate-pinning.md
View File

@ -1,8 +1,8 @@
---
title: Enterprise certificate pinning
title: Enterprise Certificate Pinning In Windows
description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
ms.topic: concept-article
ms.date: 03/12/2024
ms.date: 12/02/2024
---
# Enterprise certificate pinning overview

28
windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
View File

@ -49,3 +49,31 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli
The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
## Configure Dynamic lock with Microsoft Intune
To configure Dynamic lock using Microsoft Intune, follow these steps:
1. Open the Microsoft Intune admin center and navigate to Devices > Windows > Configuration policies.
1. Create a new policy:
- Platform: Windows 10 and later
- Profile type: Templates - Custom
- Select Create
1. Configure the profile:
- Name: Provide a name for the profile.
- Description: (Optional) Add a description.
1. Add OMA-URI settings:
- Enable Dynamic lock:
- Name: Enable Dynamic lock
- Description: (Optional) This setting enables Dynamic lock
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock
- Data type: Boolean
- Value: True
- Define the Dynamic lock signal rule:
- Name: Dynamic lock Signal Rule
- Description: (Optional) This setting configures Dynamic lock values
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins
- Data type: String
- Value: `<rule schemaVersion="1.0"><signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/></rule>`
1. Assign the profile to the appropriate groups.

4
windows/security/identity-protection/passwordless-experience/index.md
View File

@ -1,9 +1,9 @@
---
title: Windows passwordless experience
title: Configure Windows Passwordless Experience With Intune
description: Learn how Windows passwordless experience enables your organization to move away from passwords.
ms.collection:
- tier1
ms.date: 03/12/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

4
windows/security/identity-protection/web-sign-in/index.md
View File

@ -1,7 +1,7 @@
---
title: Web sign-in for Windows
title: Use Web Sign-In To Enable Passwordless Sign-In In Windows
description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

4
windows/security/licensing-and-edition-requirements.md
View File

@ -1,8 +1,8 @@
---
title: Windows security features licensing and edition requirements
title: Windows Security Features Licensing And Edition Requirements
description: Learn about Windows licensing and edition requirements for the features included in Windows.
ms.topic: conceptual
ms.date: 04/10/2024
ms.date: 12/02/2024
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
ms.author: paoloma

6
windows/security/operating-system-security/data-protection/configure-s-mime.md
View File

@ -1,8 +1,8 @@
---
title: Configure S/MIME for Windows
title: Configure S/MIME For Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
ms.topic: how-to
ms.date: 04/10/2024
ms.date: 12/02/2024
---
@ -68,4 +68,4 @@ When you receive a signed email, the app provides a feature to install correspon
1. Select the digital signature icon in the reading pane
1. Select **Install.**
:::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
:::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::

4
windows/security/security-foundations/certification/toc.yml
View File

@ -9,6 +9,8 @@ items:
href: validations/fips-140-windows10.md
- name: Previous Windows releases
href: validations/fips-140-windows-previous.md
- name: Windows Server 2022
href: validations/fips-140-windows-server-2022.md
- name: Windows Server 2019
href: validations/fips-140-windows-server-2019.md
- name: Windows Server 2016
@ -32,4 +34,4 @@ items:
- name: Windows Server semi-annual releases
href: validations/cc-windows-server-semi-annual.md
- name: Previous Windows Server releases
href: validations/cc-windows-server-previous.md
href: validations/cc-windows-server-previous.md

4
windows/whats-new/windows-licensing.md
View File

@ -1,5 +1,5 @@
---
title: Windows commercial licensing overview
title: Windows Commercial Licensing Overview
description: Learn about products and use rights available through Windows commercial licensing.
ms.subservice: itpro-security
author: paolomatarazzo
@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- tier2
ms.topic: overview
ms.date: 02/29/2024
ms.date: 12/02/2024
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
ms.service: windows-client