deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into ADO-8098862

Browse Source
This commit is contained in:
Thomas Raya 2023-12-11 16:34:33 -08:00
commit cc8901a2cf
781 changed files with 15319 additions and 18168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@ -0,0 +1,5 @@
blank_issues_enabled: false
contact_links:
- name: New feedback experience
url: https://learn.microsoft.com/office/new-feedback
about: Were transitioning our feedback experience away from GitHub Issues. For more information, select Open.

9
.openpublishing.publish.config.json
View File

@ -12,7 +12,8 @@
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
"RestApi": "Content",
"ZonePivotGroups": "Toc"
},
"build_entry_point": "docs",
"template_folder": "_themes"
@ -90,6 +91,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@ -106,6 +108,7 @@
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@ -122,6 +125,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@ -138,6 +142,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@ -170,6 +175,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
@ -186,6 +192,7 @@
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"ZonePivotGroups": "Toc",
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"

15
.openpublishing.redirection.education.json
View File

@ -159,6 +159,21 @@
"source_path": "education/windows/windows-automatic-redeployment.md",
"redirect_url": "/education/windows/autopilot-reset",
"redirect_document_id": false
},
{
"source_path": "education/windows/tutorial-school-deployment/enroll-aadj.md",
"redirect_url": "/education/windows/tutorial-school-deployment/enroll-entra-join",
"redirect_document_id": false
},
{
"source_path": "education/windows/tutorial-school-deployment/set-up-azure-ad.md",
"redirect_url": "/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id",
"redirect_document_id": false
},
{
"source_path": "education/windows/set-up-school-pcs-whats-new.md",
"redirect_url": "/education/windows",
"redirect_document_id": false
}
]
}

659
.openpublishing.redirection.windows-security.json
View File

@ -177,7 +177,12 @@
},
{
"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
"redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-top-node",
"redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-overview",
"redirect_document_id": false
},
{
"source_path": "windows/security/hardware-security/tpm/trusted-platform-module-top-node.md",
"redirect_url": "/windows/security/hardware-security/tpm/trusted-platform-module-overview",
"redirect_document_id": false
},
{
@ -532,7 +537,7 @@
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption",
"redirect_document_id": false
},
{
@ -587,7 +592,7 @@
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview",
"redirect_document_id": false
},
{
@ -617,7 +622,7 @@
},
{
"source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/manage-recovery-passwords#bitlocker-recovery-password-viewer",
"redirect_document_id": false
},
{
@ -6842,7 +6847,7 @@
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-logging",
"redirect_document_id": false
},
{
@ -6925,11 +6930,6 @@
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices",
@ -7077,7 +7077,7 @@
},
{
"source_path": "windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831418(v=ws.11)",
"redirect_document_id": false
},
{
@ -7414,6 +7414,641 @@
"source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml",
"redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure#$bitlocker-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure#bitlocker-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/countermeasures",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-process#bitlocker-recovery-password-viewer",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/network-unlock",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/plan",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/operations-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/csv-san",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/install-server",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721530(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725978(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770729(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731463(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771822(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753825(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725818(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732933(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753367(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770426(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732202(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771233(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731164(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770565(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754085(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731123(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770836(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731908(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731788(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731447(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721532(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730835(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771044(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771733(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732752(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725693(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771664(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732615(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754986(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771716(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947826(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730841(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732486(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721528(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732413(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770289(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947845(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947794(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947848(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947836(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947800(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947783(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947791(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947799(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947827(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947819(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717261(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717238(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717284(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717277(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732023(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717256(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772556(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770865(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753064(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725659(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731951(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717241(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732024(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717262(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717263(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717260(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717237(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717279(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717293(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717253(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717249(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717270(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717275(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717278(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717245(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717246(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717247(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717274(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717243(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717283(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717281(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717259(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717292(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717264(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717265(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717290(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717269(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717266(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717254(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717267(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717251(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717273(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731454(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770899(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771366(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc726039(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771791(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753540(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-program-or-service-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-port-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall-with-advanced-security-administration-with-windows-powershell.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831807(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831418(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-logging",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-settings-lost-on-upgrade.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/rdp-sign-in",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/rdp-sign-in",
"redirect_document_id": false
}
]
}
}

5
browsers/edge/docfx.json
View File

@ -56,7 +56,10 @@
"jborsecnik",
"tiburd",
"garycentric",
"beccarobins"
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
]
},
"fileMetadata": {},

8
browsers/edge/microsoft-edge.yml
View File

@ -40,14 +40,6 @@ landingContent:
- text: Evaluate the impact
url: ./microsoft-edge-forrester.md
# Card (optional)
- title: Test your site on Microsoft Edge
linkLists:
- linkListType: overview
links:
- text: Test your site on Microsoft Edge for free on BrowserStack
url: https://developer.microsoft.com/microsoft-edge/tools/remote/
# Card (optional)
- title: Improve compatibility with Enterprise Mode
linkLists:

1
education/breadcrumb/toc.yml
View File

@ -1,3 +1,4 @@
items:
- name: Windows
tocHref: /windows/
topicHref: /windows/index

8
education/docfx.json
View File

@ -42,9 +42,8 @@
"ms.localizationpriority": "medium",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.education",
@ -66,7 +65,8 @@
"garycentric",
"v-stsavell",
"beccarobins",
"Stacyrch140"
"Stacyrch140",
"American-Dipper"
]
},
"fileMetadata": {

19
education/includes/education-content-updates.md
View File

@ -2,20 +2,13 @@
## Week of September 11, 2023
## Week of November 06, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
## Week of September 04, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 9/5/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
| 9/5/2023 | [Windows for Education documentation](/education/windows/index) | modified |
| 9/5/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 11/7/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
| 11/9/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
| 11/9/2023 | What's new in the Windows Set up School PCs app | removed |
| 11/9/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
| 11/9/2023 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified |

2
education/index.yml
View File

@ -8,7 +8,7 @@ metadata:
title: Microsoft 365 Education Documentation
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
ms.topic: hub-page
ms.date: 08/10/2022
ms.date: 11/06/2023
productDirectory:
title: For IT admins

55
education/windows/autopilot-reset.md
View File

@ -5,24 +5,20 @@ ms.date: 08/10/2022
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
- education
---
# Reset devices with Autopilot Reset
# Reset devices with Autopilot Reset
IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Microsoft Entra ID and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
To enable Autopilot Reset you must:
To enable Autopilot Reset, you must:
1. [Enable the policy for the feature](#enable-autopilot-reset)
2. [Trigger a reset for each device](#trigger-autopilot-reset)
## Enable Autopilot Reset
To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre).
To use Autopilot Reset, Windows Recovery Environment (WinRE) must be enabled on the device.
**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This setting ensures that Autopilot Reset isn't triggered by accident.
@ -32,13 +28,13 @@ You can set the policy using one of these methods:
Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
For example, in Intune, create a new configuration policy and add an OMA-URI.
For example, in Intune, create a new configuration policy and add an OMA-URI.
- OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
- Data type: Integer
- Value: 0
- Windows Configuration Designer
You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
- Set up School PCs app
@ -56,59 +52,50 @@ You can set the policy using one of these methods:
- When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
![Configure student PC settings in Set up School PCs.](images/suspcs/suspc_configure_pc2.jpg)
## Trigger Autopilot Reset
Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
**To trigger Autopilot Reset**
Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**.
To trigger Autopilot Reset:
1. From the Windows device lock screen, enter the keystroke: <kbd>CTRL</kbd> + <kbd>WIN</kbd> + <kbd>R</kbd>.
![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png)
This keystroke will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
This keystroke opens up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
1. Confirm/verify that the end user has the right to trigger Autopilot Reset
2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
1. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
![Custom login screen for Autopilot Reset.](images/autopilot-reset-customlogin.png)
2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
1. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
> [!IMPORTANT]
> To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
Once Autopilot Reset is triggered, the reset process starts.
Once Autopilot Reset is triggered, the reset process starts.
After reset, the device:
- Sets the region, language, and keyboard.
- Connects to Wi-Fi.
- If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device.
- Sets the region, language, and keyboard
- Connects to Wi-Fi
- If you provided a provisioning package when Autopilot Reset is triggered, the system applies this new provisioning package. Otherwise, the system reapplies the original provisioning package on the device
- Is returned to a known good managed state, connected to Microsoft Entra ID and MDM.
![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png)
Once provisioning is complete, the device is again ready for use.
<span id="winre"/>
## Troubleshoot Autopilot Reset
Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
Autopilot Reset fails when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. The error code is: `ERROR_NOT_SUPPORTED (0x80070032)`.
To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
```console
reagentc /enable
```cmd
reagentc.exe /enable
```
If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, kindly contact [Microsoft Support](https://support.microsoft.com) for assistance.
## Related articles
[Set up Windows devices for education](set-up-windows-10.md)

16
education/windows/edu-stickers.md
View File

@ -1,21 +1,17 @@
---
title: Configure Stickers for Windows 11 SE
description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
ms.date: 09/15/2022
ms.date: 11/09/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- education
- tier2
---
# Configure Stickers for Windows 11 SE
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Similar to the [education theme packs](edu-themes.md "my tooltip example that opens in a new tab"), Stickers is a personalization feature that helps the device feel like it was designed for students.
Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.
:::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
@ -35,9 +31,9 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]

2
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -1,7 +1,7 @@
---
title: Configure Take a Test in kiosk mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
ms.date: 09/30/2022
ms.date: 11/08/2023
ms.topic: how-to
---

51
education/windows/federated-sign-in.md
View File

@ -13,20 +13,25 @@ ms.collection:
# Configure federated sign-in for Windows devices
Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
This feature is called *federated sign-in*.\
Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via a web sign-in experience.
Signing in with a federated identity can be a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
## Benefits of federated sign-in
Federated sign-in enables students to sign-in in less time, and with less friction.
A federated sign-in experience enables students to sign-in in less time, and with less friction.
With fewer credentials to remember and a simplified sign-in process, students are more engaged and focused on learning.
There are two Windows features that enable a federated sign-in experience:
- *Federated sign-in*, which is designed for 1:1 student devices. For an optimal experience, you should not enable federated sign-in on shared devices
- *Web sign-in*, which provides a similar experience to *Federated sign-in*, and can be used for shared devices
> [!IMPORTANT]
> Currently, this feature is designed for 1:1 devices. For an optimal experience, you should not enable federated sign-in on shared devices.
> *Federated sign-in* and *Web sign-in* require different configurations, which are explained in this document.
## Prerequisites
To implement federated sign-in, the following prerequisites must be met:
To enable a federated sign-in experience, the following prerequisites must be met:
1. A Microsoft Entra tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Microsoft Entra ID?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
>[!NOTE]
@ -43,9 +48,9 @@ To implement federated sign-in, the following prerequisites must be met:
For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
1. Enable federated sign-in on the Windows devices
1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student
To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
To use Federated sign-in or Web sign-in, the devices must have Internet access. These features don't work without it, as the authentication is done over the Internet.
> [!IMPORTANT]
> WS-Fed is the only supported federated protocol to join a device to Microsoft Entra ID. If you have a SAML 2.0 IdP, it's recommended to complete the Microsoft Entra join process using one of the following methods:
@ -54,25 +59,25 @@ To use federated sign-in, the devices must have Internet access. This feature do
[!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
Federated sign-in for student assigned (1:1) devices is supported on the following Windows editions and versions:
Federated sign-in is supported on the following Windows editions and versions:
- Windows 11 SE, version 22H2 and later
- Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
Federated sign-in for shared devices is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
Web sign-in is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
## Configure federated sign-in
## Configure a federated sign-in experience
You can configure federated sign-in for student assigned (1:1) devices or student shared devices:
You can configure a federated sign-in experience for student assigned (1:1) devices or student shared devices:
- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device
- When federated sign-in is configured for **student assigned (1:1) devices**, you use a Windows feature called *Federated sign-in*. The first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
- When federated sign-in is configured for **student shared devices**, you use a Windows feature called *Web sign-in*. With Web sign-in there's no primary user, and the sign-in screen displays, by default, the last user who signed in to the device
The configuration is different for each scenario, and is described in the following sections.
### Configure federated sign-in for student assigned (1:1) devices
### Configure Federated sign-in for student assigned (1:1) devices
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -98,7 +103,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure federated sign-in using a provisioning package, use the following settings:
To configure Federated sign-in using a provisioning package, use the following settings:
| Setting |
|--------|
@ -109,16 +114,16 @@ To configure federated sign-in using a provisioning package, use the following s
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
Apply the provisioning package to the single-user devices that require federated sign-in.
Apply the provisioning package to the 1:1 devices that require Federated sign-in.
> [!IMPORTANT]
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
---
### Configure federated sign-in for student shared devices
### Configure Web sign-in for student shared devices
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -146,7 +151,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure federated sign-in using a provisioning package, use the following settings:
To configure web sign-in using a provisioning package, use the following settings:
| Setting |
|--------|
@ -156,7 +161,7 @@ To configure federated sign-in using a provisioning package, use the following s
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`**<br>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`**<br>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
Apply the provisioning package to the shared devices that require federated sign-in.
Apply the provisioning package to the shared devices that require web sign-in.
> [!IMPORTANT]
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
@ -172,7 +177,7 @@ As users enter their username, they're redirected to the identity provider sign-
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
> [!IMPORTANT]
> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the Federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Microsoft Entra tenant name is configured.
## Important considerations

3
education/windows/index.yml
View File

@ -10,12 +10,11 @@ metadata:
ms.technology: itpro-edu
ms.collection:
- education
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 08/07/2023
ms.date: 10/30/2023
highlightedContent:
items:

97
education/windows/set-up-school-pcs-whats-new.md
View File

@ -1,97 +0,0 @@
---
title: What's new in the Windows Set up School PCs app
description: Find out about app updates and new features in Set up School PCs.
ms.topic: whats-new
ms.date: 08/10/2022
---
# What's new in Set up School PCs
Learn what's new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases.
## Week of August 24, 2020
### Longer device names supported in app
You can now give devices running Windows 10, version 2004 and later a name that's up to 53 characters long.
## Week of September 23, 2019
### Easier way to deploy Office 365 to your classroom devices
Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
## Week of June 24, 2019
### Resumed support for Windows 10, version 1903 and later
The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app.
### Device rename made optional for Azure AD-joined devices
When you set up your Azure AD join devices in the app, you no longer need to rename your devices. You can keep existing device names.
## Week of May 23, 2019
### Suspended support for Windows 10, version 1903 and later
Due to a provisioning problem, Set up School PCs has temporarily stopped support for Windows 10, version 1903 and later. All settings in the app that were for Windows 10, version 1903 and later have been removed. When the problem is resolved, support will resume again.
### Mandatory device rename for Azure AD-joined devices
If you configure Azure AD Join, you're now required to rename your devices during setup. You can't keep existing device names.
## Week of April 15, 2019
### Support for Minecraft Education Edition upgrade
Set up School PCs only adds apps to the provisioning package that meet the minimum supported version for Windows 10. For example, Minecraft is the most recent store app to upgrade; it's only installed on devices running Windows 10, version 1709 and later. If you select an earlier version of Windows, Minecraft won't be included in the provisioning package.
## Week of April 8, 2019
### Apps configured as non-removeable
Apps that you deploy with Set up School PCs are configured as non-removable apps. This feature prevents students from unpinning or uninstalling the apps they need.
### Domain name automatically added during sign-in
Specify your preferred Azure Active Directory tenant domain name to automatically append it to the username on the sign-in screen. With this setting, students don't need to type out long school domain names. To sign in, they type only their unique usernames.
### Set up devices with hidden Wi-Fi network
Set up devices so that they connect to a hidden Wi-Fi network. To configure a hidden network, open the app. When you get to **Wireless network**, choose **Add a Wi-Fi network**. Enter in your Wi-Fi information and select **Hidden network**.
## Week of December 31, 2018
### Add Microsoft Whiteboard to provisioning package
Microsoft Whiteboard is now a Microsoft-recommended app for schools. Whiteboard is a freeform digital canvas where ideas, content, and people come together; students can create and collaborate in real time in the classroom. Add the app to your provisioning package on the **Add apps** page. For more information, see [Use Set up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
## Week of November 5, 2018
### Sync school app inventory from Microsoft Store
During setup, you can now add apps from your school's Microsoft Store inventory. After you sign in with your school's Office 365 account, Set up School PCs will sync the apps from Microsoft Store, and make them visible on the **Add apps** page. For more information about adding apps, see [Use Set Up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
## Week of October 15, 2018
The Set up School PCs app was updated with the following changes:
### Three new setup screens added to the app
The following screens and functionality were added to the setup workflow. Select a screen name to view the relevant steps and screenshots in the Set Up School PCs docs.
* [**Package name**](use-set-up-school-pcs-app.md#package-name): Customize a package name to make it easy to recognize it from your school's other packages. Azure Active Directory generates the name. It appears as the filename, and as the token name in Azure AD in the Azure portal.
* [**Product key**](use-set-up-school-pcs-app.md#product-key): Enter a product key to upgrade your current edition of Windows 10, or change the existing product key.
* [**Personalization**](use-set-up-school-pcs-app.md#personalization): Upload images from your computer to customize how the lock screen and background appears on student devices.
### Azure AD token expiration extended to 180 days
Packages now expire 180 days from the date you create them.
### Updated apps with more helpful, descriptive text
The **Skip** buttons in the app now communicate the intent of each action. An **Exit** button also appears on the last page of the app.
### Option to keep existing device names
The [**Name these devices** screen](use-set-up-school-pcs-app.md#device-names) now gives you the option to keep the original or existing names of your student devices.
### Skype and Messaging apps to be removed from student PCs by default
The Skype and Messaging apps are part of a selection of apps that are, by default, removed from student devices.
## Next steps
Learn how to create provisioning packages and set up devices in the app.
* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
* [Set up Windows 10 devices for education](set-up-windows-10.md)
When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).

26
education/windows/take-a-test-app-technical.md
View File

@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
description: List of policies and settings applied by the Take a Test app.
ms.date: 03/31/2023
ms.date: 11/02/2023
ms.topic: reference
---
@ -11,11 +11,11 @@ Take a Test is an application that locks down a device and displays an online as
Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments.
Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api).
Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test JavaScript API](/windows/uwp/apps-for-education/take-a-test-api).
## PC lock-down for assessment
When the assessment page initiates lock-down, the student's desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.
When the assessment page initiates lock-down, the student's desktop is locked and the app executes above the Windows lock screen. This provides a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test applies local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.
When running above the lock screen:
@ -25,7 +25,7 @@ When running above the lock screen:
- System clipboard is cleared
- Web apps can query the processes currently running in the user's device
- Extended display shows up as black
- Auto-fill is disabled
- Autofill is disabled
## Mobile device management (MDM) policies
@ -36,7 +36,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
| AllowToasts | Disables toast notifications from being shown | 0 |
| AllowAppStoreAutoUpdate | Disables automatic updates for Store apps that are installed on the PC | 0 |
| AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
| AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 |
| AllowInput Panel | Disables the onscreen keyboard, which disables autofill | 0 |
| AllowCortana | Disables Cortana functionality | 0 |
| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
@ -61,7 +61,7 @@ When Take a Test is running, the following functionality is available to student
- Magnifier is available through <kbd>Win</kbd>+<kbd>+</kbd>
- The student can press <kbd>Alt</kbd>+<kbd>Tab</kbd> when locked down. This key press results in the student being able to switch between the following elements:
- Take a Test
- Assistive technology that may be running
- Assistive technology that might be running
- Lock screen (not available if student is using a dedicated test account)
> [!NOTE]
@ -77,22 +77,22 @@ When permissive mode is triggered in lock-down mode, Take a Test transitions fro
When running tests in this mode, keep the following points in mind:
- Permissive mode isn't supported in kiosk mode (dedicated test account)
- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode
- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it launches in permissive mode
## Troubleshoot Take a Test with the event viewer
You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when a lock-down request has been received, device enrollment has succeeded, lock-down policies were successfully applied, and more.
You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when it receives a lock-down request, device enrollment completes, lock-down policies are successfully applied, and more.
To enable viewing events in the Event Viewer:
1. Open the `Event Viewer`
1. Navigate to `Applications and Services Logs > Microsoft > Windows > Management-SecureAssessment`
1. Select `Operational` > `Enable Log`
1. Open the Event Viewer
1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Management-SecureAssessment**
1. Select **Operational** > **Enable Log**
To save the event logs:
1. Select `Operational` > `Save All Events As…`
1. Select **Operational** > **Save All Events As…**
## Learn more
[Take a Test API](/windows/uwp/apps-for-education/take-a-test-api)
[Take a Test API](/windows/uwp/apps-for-education/take-a-test-api)

6
education/windows/tutorial-school-deployment/configure-device-settings.md
View File

@ -1,7 +1,7 @@
---
title: Configure and secure devices with Microsoft Intune
description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -88,7 +88,7 @@ To create a security policy:
- Windows SmartScreen
For more information, see [Security][INT-4].
> [!NOTE]
> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
> - [<u>Antivirus</u>][MEM-2]
@ -98,7 +98,7 @@ For more information, see [Security][INT-4].
> - [<u>Attack surface reduction</u>][MEM-6]
> - [<u>Account protection</u>][MEM-7]
________________________________________________________
---
## Next steps

2
education/windows/tutorial-school-deployment/configure-devices-overview.md
View File

@ -1,7 +1,7 @@
---
title: Configure devices with Microsoft Intune
description: Learn how to configure policies and applications in preparation for device deployment.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---

6
education/windows/tutorial-school-deployment/enroll-aadj.md → education/windows/tutorial-school-deployment/enroll-entra-join.md
View File

@ -1,9 +1,10 @@
---
title: Enrollment in Intune with standard out-of-box experience (OOBE)
description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
# Automatic Intune enrollment via Microsoft Entra join
If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
@ -21,7 +22,8 @@ With this process, no advance preparation is needed:
:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
________________________________________________________
---
## Next steps
With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.

6
education/windows/tutorial-school-deployment/enroll-overview.md
View File

@ -1,7 +1,7 @@
---
title: Device enrollment overview
description: Learn about the different options to enroll Windows devices in Microsoft Intune
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: overview
---
@ -22,9 +22,9 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
Select one of the following options to learn the next steps about the enrollment method you chose:
> [!div class="op_single_selector"]
> - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md)
> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
> - [Bulk enrollment with provisioning packages](enroll-package.md)
> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
> - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
<!-- Reference links in article -->

5
education/windows/tutorial-school-deployment/enroll-package.md
View File

@ -1,7 +1,7 @@
---
title: Enrollment of Windows devices with provisioning packages
description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -49,7 +49,8 @@ All settings defined in the package and in Intune will be applied to the device,
:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
________________________________________________________
---
## Next steps
With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.

7
education/windows/tutorial-school-deployment/index.md
View File

@ -1,7 +1,7 @@
---
title: Introduction to the tutorial deploy and manage Windows devices in a school
description: Introduction to deployment and management of Windows devices in education environments.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -60,13 +60,14 @@ In the remainder of this document, we'll discuss the key concepts and benefits o
- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
- **Device reset:** Resetting managed devices with Intune for Education
________________________________________________________
---
## Next steps
Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
> [!div class="nextstepaction"]
> [Next: Set up Microsoft Entra ID >](set-up-azure-ad.md)
> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
<!-- Reference links in article -->

2
education/windows/tutorial-school-deployment/manage-overview.md
View File

@ -1,7 +1,7 @@
---
title: Manage devices with Microsoft Intune
description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---

18
education/windows/tutorial-school-deployment/manage-surface-devices.md
View File

@ -1,7 +1,7 @@
---
title: Management functionalities for Surface devices
description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
- ✅ <b>Surface devices</b>
@ -9,7 +9,7 @@ appliesto:
# Management functionalities for Surface devices
Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
## Manage device firmware for Surface devices
@ -27,20 +27,18 @@ When Surface devices are enrolled in cloud management and users sign in for the
To access and use the Surface Management Portal:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **All services** > **Surface Management Portal**
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. Select **All services** > **Surface Management Portal**
:::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
3. To obtain insights for all your Surface devices, select **Monitor**
1. To obtain insights for all your Surface devices, select **Monitor**
- Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
4. To obtain details on each insights category, select **View report**
1. To obtain details on each insights category, select **View report**
- This dashboard displays diagnostic information that you can customize and export
5. To obtain the device's warranty information, select **Device warranty and coverage**
6. To review a list of support requests and their status, select **Support requests**
1. To obtain the device's warranty information, select **Device warranty and coverage**
1. To review a list of support requests and their status, select **Support requests**
<!-- Reference links in article -->
[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
[MEM-1]: /mem/autopilot/dfci-management
[SURF-1]: /surface/surface-manage-dfci-guide

3
education/windows/tutorial-school-deployment/reset-wipe.md
View File

@ -1,7 +1,7 @@
---
title: Reset and wipe Windows devices
description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -104,6 +104,7 @@ Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be
For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
<!-- Reference links in article -->
[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal

5
education/windows/tutorial-school-deployment/set-up-azure-ad.md → education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
View File

@ -1,7 +1,7 @@
---
title: Set up Microsoft Entra ID
description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
---
@ -86,6 +86,7 @@ There are two options for adding users manually, either individually or in bulk:
- Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
### Create groups
Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
@ -143,7 +144,7 @@ To allow provisioning packages to complete the Microsoft Entra join process:
1. Select Save
:::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
________________________________________________________
---
## Next steps

4
education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
View File

@ -1,7 +1,7 @@
---
title: Set up device management
description: Learn how to configure the Intune service and set up the environment for education.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
---
@ -74,7 +74,7 @@ To disable Windows Hello for Business at the tenant level:
For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
________________________________________________________
---
## Next steps

4
education/windows/tutorial-school-deployment/toc.yml
View File

@ -4,7 +4,7 @@ items:
- name: 1. Prepare your tenant
items:
- name: Set up Microsoft Entra ID
href: set-up-azure-ad.md
href: set-up-microsoft-entra-id.md
- name: Set up Microsoft Intune
href: set-up-microsoft-intune.md
- name: 2. Configure settings and applications
@ -20,7 +20,7 @@ items:
- name: Overview
href: enroll-overview.md
- name: Enroll devices via Microsoft Entra join
href: enroll-aadj.md
href: enroll-entra-join.md
- name: Enroll devices with provisioning packages
href: enroll-package.md
- name: Enroll devices with Windows Autopilot

7
education/windows/tutorial-school-deployment/troubleshoot-overview.md
View File

@ -1,7 +1,7 @@
---
title: Troubleshoot Windows devices
description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -25,10 +25,9 @@ Here's a collection of resources to help you troubleshoot Windows devices manage
Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
:
Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
- Select **Troubleshooting + support** > **Help and support**
:::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365

307
education/windows/use-set-up-school-pcs-app.md
View File

@ -2,88 +2,90 @@
title: Use Set up School PCs app
description: Learn how to use the Set up School PCs app and apply the provisioning package.
ms.topic: how-to
ms.date: 08/10/2022
ms.date: 11/09/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Use the Set up School PCs app
IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM.
IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows devices for students. The app configures devices with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student device in Microsoft Intune. You can then manage all the settings the app configures through Intune.
Set up School PCs also:
* Joins each student PC to your organization's Office 365 and Microsoft Entra tenant.
* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.
* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
* Locks down the student PC to prevent activity that isn't beneficial to their education.
With Set up School PCs you can:
This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
- Joins student devices to your organization's Microsoft Entra tenant
- Enable the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state
- Use Windows Update and maintenance hours to keep student devices up-to-date, without interfering with class time
- Lock down student devices to prevent activity that aren't beneficial to their education
## Requirements
Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
* Office 365 and Microsoft Entra ID
* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)
* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
* Student PCs must either:
* Be within range of the Wi-Fi network that you configured in the app.
* Have a wired Ethernet connection when you set them up.
## Requirements
### Configure USB drive for additional space
USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS.
1. Insert the USB drive into your computer.
2. Go to the **Start** > **This PC**.
3. In the **Devices and drives** section, find your USB drive. Right-click to see its options.
4. Select **Format** from the list to bring up the **Format drive name** window.
5. Set **File system** to **NTFS**.
6. Click **Start** to format the drive.
Before you begin, make sure that your devices and your school's network are configured with the following requirements:
### Prepare existing PC account for new setup
Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data.
- Microsoft Entra ID and Microsoft 365 licenses
- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40)
- A NTFS-formatted USB drive that is at least 1 GB
- Student devices must either:
- Be within range of the Wi-Fi network that you configured in the app
- Have a wired Ethernet connection when you set them up
If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state.
### Prepare existing PC account for new setup
To begin, go to the **Settings** app on the appropriate PC.
1. Click **Update & Security** > **Recovery**.
2. In the **Reset this PC** section, click **Get started**.
3. Click **Remove everything**.
Apply new packages to factory reset or new devices. If you apply it to a device that's already set up, you may lose the accounts and data.
You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps:
1. Click **Troubleshoot** and then choose **Reset this PC**.
2. Select **Remove everything**.
3. If the option appears, select **Only the drive where Windows is installed**.
4. Click **Just remove my files**.
5. Click **Reset**.
If a device is already set up, and you want to apply a new package, reset the device to a clean state. To reset a device, follow these steps:
## Recommendations
This section offers recommendations to prepare you for the best possible setup experience.
### Run the same Windows 10 build on the admin device and the student PCs
We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs.
1. Open the **Settings** app on target device
1. Select **Update & Security** > **Recovery**
1. In the **Reset this PC** section, select **Get started**
1. Select **Remove everything**
### Student PCs should meet OS requirements for the app
Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.
Alternatively, you can also select **Start** > **Power** icon. Hold down <kbd>Shift</kbd> while selecting **Restart** to load the Windows boot user experience:
To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**.
1. Select **Troubleshoot** > **Reset this PC**
1. Select **Remove everything**
1. If the option appears, select **Only the drive where Windows is installed**
1. Select **Just remove my files**
1. Select **Reset**
## Recommendations
This section offers recommendations to prepare you for the best possible setup experience.
### Run the same Windows build on the admin device and the student devices
We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices.
### Student devices must meet OS requirements for the app
Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices.
To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements** > **OS**.
### Use app on a PC that is connected to your school's network
We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually.
> [!NOTE]
> Don't use the **Set up Schools PCs** app for PCs that must connect to:
>* Enterprise networks that require the user to accept Terms of Use.
>* Open Wi-Fi networks that require the user to accept Terms of Use.
We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you need to enter the information manually.
>[!NOTE]
>Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use.
### Run app on an open network or network that requires a basic password
Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
We recommend that you:
* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.
* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues.
Don't use Set up School PCs over a certificate-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
> > [!WARNING]
> > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
We recommend that you:
### Use an additional USB drive
To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
- Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses allow you to set up many devices simultaneously
- Configure your IP addresses to expire after a short time, for example 30 minutes. IP addresses free up quickly so you can continue to set up devices without network issues.
>[!WARNING]
>Only use the provisioning package on devices that you want to configure and lock down for students. After you apply the provisioning package to a student device, the PC must be reset to remove the settings.
### Use an additional USB drive
To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
### Limit changes to school-optimized settings
@ -91,191 +93,172 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
## Create the provisioning package
The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**.
![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)
The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your device and select **Get started**.
![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)
### Package name
### Package name
Type a unique name to help distinguish your school's provisioning packages. The name appears:
* On the local package folder
* In your tenant's Microsoft Entra account in the Azure portal
- On the local package folder
- In your tenant's Microsoft Entra account in the Azure portal
A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package.
A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package.
![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png)
After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.
After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.
### Sign in
1. Select how you want to sign in.
a. (Recommended) To enable student PCs to automatically be connect to Office 365, Microsoft Entra ID, and management services like Intune for Education, click **Sign-in**. Then go to step 3.
b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network).
2. In the new window, select the account you want to use throughout setup.
1. Select how you want to sign in
1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3
1. To complete setup without signing in, select **Continue without account**. Student devices won't connect to your school's cloud services and their management will be more difficult later. Continue to [Wireless network](#wireless-network)
1. In the new window, select the account you want to use throughout setup.
![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png)
To add an account not listed:
a. Click **Work or school account** > **Continue**.
b. Type in the account username and click **Next**.
c. Verify the user account and password, if prompted.
1. Select **Work or school account** > **Continue**.
1. Type in the account username and select **Next**.
1. Verify the user account and password, if prompted.
3. Click **Accept** to allow Set up School PCs to access your account throughout setup.
2. When your account name appears on the page, as shown in the image below, click **Next.**
1. Select **Accept** to allow Set up School PCs to access your account throughout setup
1. When your account name appears on the page, select **Next**
![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png)
### Wireless network
Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.
Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.**
Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.
Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next**
![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png)
### Device names
Create a short name to add as a prefix to each PC. This name will help you recognize and manage this specific group of devices in your mobile device manager. The name must be five (5) characters or less.
To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers.
Create a name to add as a prefix to each device. This name helps you recognize and manage this group of devices in Intune.
To keep the default name for your devices, click **Continue with existing names**.
To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *MATH4* as the prefix, the device names appear as *MATH4* followed by the device serial number.
To keep the default name for your devices, select **Continue with existing names**.
!["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png)
### Settings
Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs.
Select more settings to include in the provisioning package. To begin, select the operating system on your student PCs.
![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png)
Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10.
Setting selections vary based on the OS version you select.
![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png)
The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
> [!NOTE]
> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot above, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, **Time zone** will become disabled.
| Setting | What happens if I select it? | Note |
|--|--|--|
| Remove apps preinstalled by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. | Adds about 30 minutes to the provisioning process. |
| Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. | Not recommended if the device are shared between different students. |
| Optimize device for a single student, instead of a shared cart or lab | Optimizes the device for use by a single student, rather than many students. | Recommended if the device are shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
| Let guests sign in to these PCs | Allows guests to use student PCs without a school account. | Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to. |
| Enable Autopilot Reset | Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). | WinRE must be enabled on the device. |
| Lock screen background | Change the default screen lock background to a custom image. | Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. |
The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
|Setting |1703|1709|1803|1809|What happens if I select it? |Note|
|---------|---------|---------|---------|---------|---------|---------|
|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.|
|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|
After you've made your selections, click **Next**.
After you've made your selections, select **Next**.
### Time zone
> [!WARNING]
> If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error.
Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**.
Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**.
![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png)
### Product key
Optionally, type in a 25-digit product key to:
* Upgrade your current edition of Windows. For example, if you want to upgrade from Windows 10 Education to Windows 10 Education Pro, enter the product key for the Pro edition.
* Change the product key. If you want to associate student devices with a new or different Windows 10 product key, enter it now.
### Product key
Optionally, type in a 25-digit product key to upgrade or change the edition of Windows on your student devices. If you don't have a product key, select **Continue without change**.
![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png)
### Take a Test
Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device.
### Take a Test
1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs.
Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student devices so that students can't access anything else on the device.
![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png)
1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' devices
2. Select from the advanced settings. Available settings include:
* Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard.
* Allow teachers to monitor online tests: Enables screen capture in the Take a Test app.
3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.
4. Click **Next**.
![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png)
### Add apps
Choose from Microsoft recommended apps and your school's own Microsoft Store inventory. The apps you select here are added to the provisioning package and installed on student PCs. After they're assigned, apps are pinned to the device's Start menu.
1. Select from the advanced settings. Available settings include:
- Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the device's keyboard
- Allow teachers to monitor online tests: Enables screen capture in the Take a Test app
1. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to select or enter the link to view the assessment
1. Select **Next**
If there aren't any apps in your Microsoft Store inventory, or you don't have the permissions to add apps, you'll need to contact your school admin for help. If you receive a message that you can't add the selected apps, click **Continue without apps**. Contact your school admin to get these apps later.
### Personalization
After you've made your selections, click **Next**.
Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.
If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images.
![Example screenshots of the Add apps screen with selection of recommended apps and school inventory apps.](images/suspcs/1812_Add_Apps_SUSPC.png)
![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)
The following table lists the recommended apps you'll see.
### Summary
|App |Note |
|---------|---------|
|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. |
|Microsoft Whiteboard | None|
|Minecraft: Education Edition | Free trial|
Review all of the settings for accuracy and completeness
1. To make changes now, select any page along the left side of the window
2. When finished, select **Accept**
![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)
### Personalization
Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.
If you don't want to upload custom images or use the images that appear in the app, click **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images.
![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)
### Summary
Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over.
1. To make changes now, click any page along the left side of the window.
2. When finished, click **Accept**.
![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)
> [!NOTE]
> To make changes to a saved package, you have to start over.
### Insert USB
1. Insert a USB drive. The **Save** button will light up when your computer detects the USB.
2. Choose your USB drive from the list and click **Save**.
![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png)
1. Insert a USB drive. The **Save** button lights up when your computer detects the USB
1. Choose your USB drive from the list and select **Save**
3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**.
![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png)
![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)
1. When the package is ready, you see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next**
## Run package - Get PCs ready
Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**.
![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)
![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)
## Run package - Get PCs ready
Complete each step on the **Get PCs ready** page to prepare student devices for set-up. Then select **Next**.
![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)
## Run package - Install package on PC
The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device.
The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows without reimaging the device.
When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school.
When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school.
> [!IMPORTANT]
> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?**
1. Start with the student device turned off or with the device on the first-run setup screen. If the device is past the account setup screen, reset the device to start over. To reset the it, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**
If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png)
![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png)
2. Insert the USB drive. Windows automatically recognizes and installs the package.
![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png)
3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC.
1. Insert the USB drive. Windows automatically recognizes and installs the package
![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png)
1. When you receive the message that it's okay to remove the USB drive, remove it from the device. If there are more devices to set up, insert the USB drive into the next one
![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png)
4. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the computer is ready for use and no further configurations are required.
1. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the device is ready for use and no further configurations are required
If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.

41
education/windows/windows-11-se-overview.md
View File

@ -2,18 +2,17 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
ms.date: 08/03/2023
ms.date: 11/02/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- education
- tier1
---
# Windows 11 SE Overview
Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
Windows 11 SE is an edition of Windows designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
@ -35,8 +34,8 @@ The following table lists the different application types available in Windows o
| --- | --- | :---: | ---|
|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
|`Win32`| `Win32` applications are Windows classic applications that might require installation |⛔| If users try to install or execute `Win32` applications that aren't allowed to run, they fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and might require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
> [!IMPORTANT]
> If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
@ -48,33 +47,33 @@ The following table lists all the applications included in Windows 11 SE and the
| App name | App type | Pinned to Start? | Pinned to taskbar? |
|:-----------------------------|:--------:|:----------------:|:------------------:|
| Alarm & Clock | UWP | | |
| Calculator | UWP | ✅ | |
| Camera | UWP | ✅ | |
| Microsoft Edge | `Win32` | ✅ | ✅ |
| Excel | `Win32` | ✅ | |
| Calculator | UWP | ✅ | |
| Camera | UWP | ✅ | |
| Microsoft Edge | `Win32` | ✅ | ✅ |
| Excel | `Win32` | ✅ | |
| Feedback Hub | UWP | | |
| File Explorer | `Win32` | | ✅ |
| File Explorer | `Win32` | | ✅ |
| FlipGrid | PWA | | |
| Get Help | UWP | | |
| Media Player | UWP | ✅ | |
| Media Player | UWP | ✅ | |
| Maps | UWP | | |
| Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | |
| News | UWP | | |
| Notepad | `Win32` | | |
| OneDrive | `Win32` | | |
| OneNote | `Win32` | ✅ | |
| Outlook | PWA | ✅ | |
| Paint | `Win32` | ✅ | |
| Notepad | `Win32` | | |
| OneDrive | `Win32` | | |
| OneNote | `Win32` | ✅ | |
| Outlook | PWA | ✅ | |
| Paint | `Win32` | ✅ | |
| Photos | UWP | | |
| PowerPoint | `Win32` | ✅ | |
| Settings | UWP | ✅ | |
| PowerPoint | `Win32` | ✅ | |
| Settings | UWP | ✅ | |
| Snip & Sketch | UWP | | |
| Sticky Notes | UWP | | |
| Teams | `Win32` | ✅ | |
| Teams | `Win32` | ✅ | |
| To Do | UWP | | |
| Whiteboard | UWP | ✅ | |
| Word | `Win32` | ✅ | |
| Whiteboard | UWP | ✅ | |
| Word | `Win32` | ✅ | |
## Available applications

2
includes/configure/gpo-settings-1.md
View File

@ -6,4 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the following settings:
To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use the following settings:

2
includes/configure/gpo-settings-2.md
View File

@ -6,4 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups.
Group policies can be [linked](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732979(v=ws.10)) to domains or organizational units, [filtered using security groups](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc752992(v=ws.10)), or [filtered using WMI filters](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)).

2
includes/configure/intune-settings-catalog-1.md
View File

@ -6,4 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
To configure devices using Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:
To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use the following settings:

9
includes/configure/registry.md Normal file
View File

@ -0,0 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 08/15/2023
ms.topic: include
ms.prod: windows-client
---
To configure devices with the [Registry Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc755256(v=ws.11)), use the following settings:

2
includes/licensing/_edition-requirements.md
View File

@ -81,7 +81,7 @@ ms.topic: include
|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|

6
includes/licensing/_licensing-requirements.md
View File

@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/18/2023
ms.date: 11/02/2023
ms.topic: include
---
@ -30,7 +30,7 @@ ms.topic: include
|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|Yes|Yes|❌|❌|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
@ -81,7 +81,7 @@ ms.topic: include
|**[Windows Autopilot](/autopilot/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|

2
includes/licensing/federated-sign-in.md
View File

@ -17,6 +17,6 @@ Federated sign-in license entitlements are granted by the following licenses:
|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
|Yes|Yes|Yes|No|No|
|Yes|No|No|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

1
store-for-business/docfx.json
View File

@ -69,7 +69,6 @@
"v-stsavell",
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
]
},

6
store-for-business/microsoft-store-for-business-education-powershell-module.md
View File

@ -9,7 +9,7 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
ms.custom: has-azure-ad-ps-ref
ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
ms.date: 05/24/2023
ms.reviewer:
---
@ -36,7 +36,7 @@ You can use the PowerShell module to:
- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
>[!NOTE]
>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID or [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
## Requirements
To use the Microsoft Store for Business and Education PowerShell module, you'll need:
@ -77,7 +77,7 @@ To authorize the PowerShell module, run this command. You'll need to sign-in wit
Grant-MSStoreClientAppAccess
```
You will be prompted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
You will be prompted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Microsoft Graph PowerShell cmdlets are loaded and ready to be used.
## View items in Products and Services
Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview.

2
store-for-business/microsoft-store-for-business-overview.md
View File

@ -334,7 +334,7 @@ Customers in these markets can use Microsoft Store for Business and Education to
- Aremenia
- Azerbaijan
- Belarus
- Bosnia
- Bosnia and Herzegovina
- Brazil
- Georgia
- India

5
windows/application-management/docfx.json
View File

@ -42,9 +42,8 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-apps",
"ms.topic": "article",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-app-management",

1
windows/application-management/index.yml
View File

@ -14,7 +14,6 @@ metadata:
ms.prod: windows-client
ms.collection:
- tier1
- highpri
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new

2
windows/application-management/overview-windows-apps.md
View File

@ -92,7 +92,7 @@ When you use an MDM provider like Microsoft Intune, you can create shortcuts to
## Android&trade; apps
Starting with Windows 11, you can install Android&trade; apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like others apps.
Starting with Windows 11, you can install Android&trade; apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like other apps.
For more information, see the following articles:

6
windows/client-management/docfx.json
View File

@ -38,6 +38,7 @@
"ms.collection": [
"tier2"
],
"zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-manage",
@ -47,9 +48,8 @@
"ms.author": "vinpa",
"author": "vinaypamnani-msft",
"manager": "aaroncz",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-client-management",

27
windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -19,7 +19,7 @@ The enrollment into Intune is triggered by a group policy created on your local
- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
- The enterprise has configured a Mobile Device Management (MDM) service.
- The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
- Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
- Service connection point (SCP) configuration. For more information, see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
- The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
@ -36,7 +36,7 @@ The autoenrollment relies on the presence of an MDM service and the Microsoft En
> [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multifactor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
@ -52,20 +52,13 @@ To configure autoenrollment using a group policy, use the following steps:
1. Link the GPO.
1. Filter using Security Groups.
If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
If you don't see the policy, get the latest ADMX for your Windows version. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
1. Download the administrative templates for the desired version:
- [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
- [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
- [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
- [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
- [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
- [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
- [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
- [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
- [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
- [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667)
- [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593)
- [Windows 10, version 22H2](https://www.microsoft.com/download/details.aspx?id=104677)
1. Install the package on the Domain Controller.
@ -96,9 +89,9 @@ This procedure is only for illustration purposes to show how the new autoenrollm
>
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
When a group policy refresh occurs on the client, a task is created and scheduled to run every five minutes for one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
If two-factor authentication is required, you're prompted to complete the process. Here's an example screenshot.
:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
@ -124,10 +117,10 @@ In **Task Scheduler Library**, open **Microsoft > Windows** , then select **Ente
To see the result of the task, move the scroll bar to see the **Last Run Result**. You can see the logs in the **History** tab.
The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`), which can be caused by enabling the **Disable MDM Enrollment** policy.
> [!NOTE]
> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
> The GPEdit console doesn't reflect the status of policies set by your organization on your device. It's only used by the user to set policies.
## Related articles

BIN
windows/client-management/images/bing-chat-enterprise-chat-provider.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

197
windows/client-management/manage-windows-copilot.md
View File

@ -1,31 +1,200 @@
---
title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows using MDM and group policy.
ms.topic: article
ms.date: 10/16/2023
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: conceptual
ms.technology: itpro-windows-copilot
ms.date: 11/06/2023
ms.author: mstewart
author: mestew
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
---
# Manage Copilot in Windows
<!--8445848-->
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications.
Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider.
This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
> [!Note]
> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
> - Copilot in Windows is being released in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time.
## Turn off Copilot in Windows
## Configure Copilot in Windows for commercial environments
This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:
| | Setting |
|------------------|---------------------------------------------------------------------------------------------------------|
| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows)
1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows
1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled
1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider
Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
## Chat provider platforms for Copilot in Windows
## Related articles
Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections.
- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0)
**Bing Chat**:
- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a)
[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat:
- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a)
- The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section.
**Bing Chat Enterprise**:
[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise:
- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections).
- Bing Chat Enterprise is available, at no additional cost, for the following licenses:
- Microsoft 365 E3 or E5
- Microsoft 365 A3 or A5 for faculty
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
> [!Note]
> Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files.
## Configure the chat provider platform that Copilot in Windows uses
Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.
### Bing Chat as the chat provider platform
Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:
- Bing Chat Enterprise isn't configured for the user
- The user isn't assigned a license that includes Bing Chat Enterprise
- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage)
- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise
### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments)
To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:
1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/).
1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses:
- Microsoft 365 E3 or E5
- Microsoft 365 A3 or A5 for faculty
- Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage).
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu.
1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list.
1. Verify that **Bing Chat Enterprise** is enabled for the user.
1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**.
> [!Note]
> If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users.
The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled:
```powershell
# Install Microsoft Graph module
if (-not (Get-Module Microsoft.Graph.Users)) {
Install-Module Microsoft.Graph.Users
}
# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'User.Read.All'
# Get all users
$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans
# Users with Bing Chat Enterprise enabled
$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table
# Users without Bing Chat Enterprise enabled
$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table
```
When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows:
:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png":::
## Ensure the Copilot in Windows user experience is enabled
Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.
### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients
Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:
1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section.
1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
- In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
> [!Important]
> For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features**
- **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates)
- In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category.
The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs:
- Automatically receive optional updates (including CFRs)
- This selection places devices into an early CFR phase
- Users can select which optional updates to receive
1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves.
### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients
Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices.
While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:
- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses)
- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider)
Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy:
- **CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot)
- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**
## Other settings that might affect Copilot in Windows and its underlying chat provider
Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:
### Bing settings
- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge:
- mapping `www.bing.com` to `strict.bing.com`
- mapping `edgeservices.bing.com` to `strict.bing.com`
- blocking `bing.com`
- If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it:
|Key |Value |
|:---------|:------------|
|com.microsoft.intune.mam.managedbrowser.Chat| **true** (default) shows the interface </br> **false** hides the interface |
### Microsoft Edge policies
- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed.
- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.
### Search settings
- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience.
- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences.
### Account settings
- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge.
- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication.
## Microsoft's commitment to responsible AI
Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai).

63
windows/client-management/mdm/bitlocker-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/23/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -18,8 +18,6 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- BitLocker-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
@ -39,7 +37,6 @@ The following list shows the BitLocker configuration service provider nodes:
- ./Device/Vendor/MSFT/BitLocker
- [AllowStandardUserEncryption](#allowstandarduserencryption)
- [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection)
- [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption)
- [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation)
- [EncryptionMethodByDriveType](#encryptionmethodbydrivetype)
@ -148,64 +145,6 @@ To disable this policy, use the following SyncML:
<!-- Device-AllowStandardUserEncryption-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Begin -->
## AllowSuspensionOfBitLockerProtection
<!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection
```
<!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
> [!WARNING]
> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
The expected values for this policy are:
0 = Prevent BitLocker Drive Encryption protection from being suspended.
1 = This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection.
<!-- Device-AllowSuspensionOfBitLockerProtection-Description-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Editable-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Prevent BitLocker Drive Encryption protection from being suspended. |
| 1 (Default) | This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection. |
<!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-AllowSuspensionOfBitLockerProtection-Examples-End -->
<!-- Device-AllowSuspensionOfBitLockerProtection-End -->
<!-- Device-AllowWarningForOtherDiskEncryption-Begin -->
## AllowWarningForOtherDiskEncryption

48
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -772,52 +772,6 @@ Supported Values: String form of request ID. Example format of request ID is GUI
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSuspensionOfBitLockerProtection</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
The format is integer.
The expected values for this policy are:
0 = Prevent BitLocker Drive Encryption protection from being suspended.
1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Prevent BitLocker Drive Encryption protection from being suspended.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>

178
windows/client-management/mdm/clouddesktop-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/23/2023
ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -26,16 +26,72 @@ ms.topic: reference
The following list shows the CloudDesktop configuration service provider nodes:
- ./Device/Vendor/MSFT/CloudDesktop
- [BootToCloudPCEnhanced](#boottocloudpcenhanced)
- [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
<!-- CloudDesktop-Tree-End -->
<!-- Device-BootToCloudPCEnhanced-Begin -->
## BootToCloudPCEnhanced
<!-- Device-BootToCloudPCEnhanced-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-BootToCloudPCEnhanced-Applicability-End -->
<!-- Device-BootToCloudPCEnhanced-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/CloudDesktop/BootToCloudPCEnhanced
```
<!-- Device-BootToCloudPCEnhanced-OmaUri-End -->
<!-- Device-BootToCloudPCEnhanced-Description-Begin -->
<!-- Description-Source-DDF -->
This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.
<!-- Device-BootToCloudPCEnhanced-Description-End -->
<!-- Device-BootToCloudPCEnhanced-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
<!-- Device-BootToCloudPCEnhanced-Editable-End -->
<!-- Device-BootToCloudPCEnhanced-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-BootToCloudPCEnhanced-DFProperties-End -->
<!-- Device-BootToCloudPCEnhanced-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not Configured. |
| 1 | Enable Boot to Cloud Shared PC Mode. |
| 2 | Enable Boot to Cloud Personal Mode (Cloud only). |
<!-- Device-BootToCloudPCEnhanced-AllowedValues-End -->
<!-- Device-BootToCloudPCEnhanced-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-BootToCloudPCEnhanced-Examples-End -->
<!-- Device-BootToCloudPCEnhanced-End -->
<!-- Device-EnableBootToCloudSharedPCMode-Begin -->
## EnableBootToCloudSharedPCMode
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- Device-EnableBootToCloudSharedPCMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-EnableBootToCloudSharedPCMode-Applicability-End -->
<!-- Device-EnableBootToCloudSharedPCMode-OmaUri-Begin -->
@ -51,6 +107,8 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
<!-- Device-EnableBootToCloudSharedPCMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
<!-- Device-EnableBootToCloudSharedPCMode-Editable-End -->
<!-- Device-EnableBootToCloudSharedPCMode-DFProperties-Begin -->
@ -80,66 +138,86 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
<!-- CloudDesktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## EnableBootToCloudSharedPCMode technical reference
## BootToCloudPCEnhanced technical reference
EnableBootToCloudSharedPCMode setting is used to configure **Boot to Cloud** feature for shared user mode. When you enable this setting, multiple policies are applied to achieve the intended behavior.
BootToCloudPCEnhanced is the setting used to configure **Boot to Cloud** feature either for shared mode or personal mode. When you enable this setting, multiple policies are applied to achieve the intended behavior. If you wish to customize the **Boot to Cloud** experience, you can utilize the [BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) policy, which provides the flexibility to tailor the experience according to your requirements.
> [!NOTE]
> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared user mode.
> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared and personal mode.
### MDM Policies
### Boot to Cloud Shared PC Mode
When this mode is enabled, these MDM policies are applied for the Device scope (all users):
When the Shared PC mode is enabled by setting BootToCloudPCEnhanced value to 1:
| Setting | Value | Value Description |
|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
| [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
- Following MDM policies are applied for the Device scope (all users):
### Group Policies
| Setting | Value | Value Description |
|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
| [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
When this mode is enabled, these local group policies are configured for all users:
- Following local group policies are configured for all users:
| Policy setting | Status |
|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
| System/Logon/Block user from showing account details on sign-in | Enabled |
| System/Logon/Enumerate local users on domain-joined computers | Disabled |
| System/Logon/Hide entry points for Fast User Switching | Enabled |
| System/Logon/Show first sign-in animation | Disabled |
| System/Logon/Turn off app notifications on the lock screen | Enabled |
| System/Logon/Turn off picture password sign-in | Enabled |
| System/Logon/Turn on convenience PIN sign-in | Disabled |
| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
| Windows Components/File History/Turn off File History | Enabled |
| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
| Windows Components/Microsoft Passport for Work | Disabled |
| System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
| System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
| Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
| System/Logon/Do not process the legacy run list | Enabled |
| Policy setting | Status |
|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
| System/Logon/Block user from showing account details on sign-in | Enabled |
| System/Logon/Enumerate local users on domain-joined computers | Disabled |
| System/Logon/Hide entry points for Fast User Switching | Enabled |
| System/Logon/Show first sign-in animation | Disabled |
| System/Logon/Turn off app notifications on the lock screen | Enabled |
| System/Logon/Turn off picture password sign-in | Enabled |
| System/Logon/Turn on convenience PIN sign-in | Disabled |
| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
| Windows Components/File History/Turn off File History | Enabled |
| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
| Windows Components/Microsoft Passport for Work | Disabled |
| System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
| System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
| Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
| System/Logon/Do not process the legacy run list | Enabled |
### Registry
- Following registry changes are performed:
When this mode is enabled, these registry changes are performed:
| Registry setting | Status |
|----------------------------------------------------------------------------------------------|--------|
| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
| Registry setting | Status |
|----------------------------------------------------------------------------------------------|--------|
| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
### Boot to Cloud Personal Mode
When the Personal mode is enabled by setting BootToCloudPCEnhanced value to 2:
- Following MDM policies are applied for the Device scope (all users):
| Setting | Value | Value Description |
|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
- Following local group policies are configured for all users:
| Policy setting | Status |
|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
| System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
| Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
| System/Logon/Do not process the legacy run list | Enabled |
<!-- CloudDesktop-CspMoreInfo-End -->
<!-- CloudDesktop-End -->

56
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/29/2023
ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -45,11 +45,55 @@ The following XML file contains the device description framework (DDF) for the C
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>22631.2050</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>BootToCloudPCEnhanced</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Boot to Cloud PC Enhanced</DFTitle>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Not Configured</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable Boot to Cloud Shared PC Mode</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Enable Boot to Cloud Personal Mode (Cloud only)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableBootToCloudSharedPCMode</NodeName>
<DFProperties>
@ -74,6 +118,9 @@ The following XML file contains the device description framework (DDF) for the C
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>88.8.88888</MSFT:OsBuildVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
@ -84,6 +131,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:ValueDescription>Boot to cloud shared pc mode enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:Deprecated />
</DFProperties>
</Node>
</Node>

4
windows/client-management/mdm/declaredconfiguration-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeclaredConfiguration CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 09/27/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -110,7 +110,7 @@ The Host internal node indicates that the target of the configuration request or
<!-- Device-Host-Complete-Description-Begin -->
<!-- Description-Source-DDF -->
This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.
<!-- Device-Host-Complete-Description-End -->
<!-- Device-Host-Complete-Editable-Begin -->

4
windows/client-management/mdm/declaredconfiguration-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 09/27/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -80,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
<Delete />
<Get />
</AccessType>
<Description>This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.</Description>
<Description>This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.</Description>
<DFFormat>
<node />
</DFFormat>

105
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/29/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -71,10 +71,12 @@ The following list shows the Defender configuration service provider nodes:
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [NetworkProtectionReputationMode](#configurationnetworkprotectionreputationmode)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation)
- [PerformanceModeStatus](#configurationperformancemodestatus)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel)
- [QuickScanIncludeExclusions](#configurationquickscanincludeexclusions)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
@ -348,7 +350,7 @@ Control whether network protection can improve performance by switching from rea
| Value | Description |
|:--|:--|
| 1 | Allow switching to asynchronous inspection. |
| 0 (Default) | Dont allow asynchronous inspection. |
| 0 (Default) | Don't allow asynchronous inspection. |
<!-- Device-Configuration-AllowSwitchToAsyncInspection-AllowedValues-End -->
<!-- Device-Configuration-AllowSwitchToAsyncInspection-Examples-Begin -->
@ -464,7 +466,7 @@ Define the retention period in days of how much time the evidence data will be k
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-120]` |
| Default Value | 60 |
@ -953,8 +955,8 @@ Control Device Control feature.
| Value | Description |
|:--|:--|
| 1 | . |
| 0 (Default) | . |
| 1 | Device Control is enabled. |
| 0 (Default) | Device Control is disabled. |
<!-- Device-Configuration-DeviceControlEnabled-AllowedValues-End -->
<!-- Device-Configuration-DeviceControlEnabled-Examples-Begin -->
@ -2186,6 +2188,46 @@ Allow managed devices to update through metered connections. Default is 0 - not
<!-- Device-Configuration-MeteredConnectionUpdates-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Begin -->
### Configuration/NetworkProtectionReputationMode
<!-- Device-Configuration-NetworkProtectionReputationMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-NetworkProtectionReputationMode-Applicability-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/NetworkProtectionReputationMode
```
<!-- Device-Configuration-NetworkProtectionReputationMode-OmaUri-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Description-Begin -->
<!-- Description-Source-DDF -->
This sets the reputation mode for Network Protection.
<!-- Device-Configuration-NetworkProtectionReputationMode-Description-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Editable-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-NetworkProtectionReputationMode-DFProperties-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Examples-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-End -->
<!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Begin -->
### Configuration/OobeEnableRtpAndSigUpdate
@ -2325,8 +2367,8 @@ This setting allows IT admins to configure performance mode in either enabled or
| Value | Description |
|:--|:--|
| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
| 1 | Performance mode is disabled. A service restart is required after changing this value. |
| 0 (Default) | Performance mode is enabled (default). |
| 1 | Performance mode is disabled. |
<!-- Device-Configuration-PerformanceModeStatus-AllowedValues-End -->
<!-- Device-Configuration-PerformanceModeStatus-Examples-Begin -->
@ -2388,6 +2430,55 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
<!-- Device-Configuration-PlatformUpdatesChannel-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-Begin -->
### Configuration/QuickScanIncludeExclusions
<!-- Device-Configuration-QuickScanIncludeExclusions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-QuickScanIncludeExclusions-Applicability-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/QuickScanIncludeExclusions
```
<!-- Device-Configuration-QuickScanIncludeExclusions-OmaUri-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-Description-Begin -->
<!-- Description-Source-DDF -->
This setting allows you to scan excluded files and directories during quick scans.
<!-- Device-Configuration-QuickScanIncludeExclusions-Description-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-QuickScanIncludeExclusions-Editable-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-QuickScanIncludeExclusions-DFProperties-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | If you set this setting to 0 or don't configure it, exclusions aren't scanned during quick scans. |
| 1 | If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards aren't supported and aren't scanned. |
<!-- Device-Configuration-QuickScanIncludeExclusions-AllowedValues-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-QuickScanIncludeExclusions-Examples-End -->
<!-- Device-Configuration-QuickScanIncludeExclusions-End -->
<!-- Device-Configuration-RandomizeScheduleTaskTimes-Begin -->
### Configuration/RandomizeScheduleTaskTimes

82
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/29/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2098,11 +2098,50 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Performance mode is enabled (default). A service restart is required after changing this value.</MSFT:ValueDescription>
<MSFT:ValueDescription>Performance mode is enabled (default).</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Performance mode is disabled. A service restart is required after changing this value.</MSFT:ValueDescription>
<MSFT:ValueDescription>Performance mode is disabled.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>QuickScanIncludeExclusions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This setting allows you to scan excluded files and directories during quick scans.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you set this setting to 0 or do not configure it, exclusions are not scanned during quick scans.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards are not supported and are not scanned.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -2382,7 +2421,7 @@ The following XML file contains the device description framework (DDF) for the D
<DefaultValue>60</DefaultValue>
<Description>Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.</Description>
<DFFormat>
<chr />
<int />
</DFFormat>
<Occurrence>
<One />
@ -2432,13 +2471,11 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>
</MSFT:ValueDescription>
<MSFT:ValueDescription>Device Control is enabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>
</MSFT:ValueDescription>
<MSFT:ValueDescription>Device Control is disabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -2650,6 +2687,35 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>NetworkProtectionReputationMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This sets the reputation mode for Network Protection.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSwitchToAsyncInspection</NodeName>
<DFProperties>

232
windows/client-management/mdm/devicepreparation-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -27,12 +27,11 @@ The following list shows the DevicePreparation configuration service provider no
- ./Device/Vendor/MSFT/DevicePreparation
- [BootstrapperAgent](#bootstrapperagent)
- [ClassID](#bootstrapperagentclassid)
- [ExecutionContext](#bootstrapperagentexecutioncontext)
- [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
- [MdmAgentInstalled](#mdmagentinstalled)
- [MDMProvider](#mdmprovider)
- [MdmAgentInstalled](#mdmprovidermdmagentinstalled)
- [Progress](#mdmproviderprogress)
- [RebootRequired](#mdmproviderrebootrequired)
- [PageEnabled](#pageenabled)
- [PageSettings](#pagesettings)
- [PageStatus](#pagestatus)
@ -55,7 +54,7 @@ The following list shows the DevicePreparation configuration service provider no
<!-- Device-BootstrapperAgent-Description-Begin -->
<!-- Description-Source-DDF -->
The subnodes configure settings for the Bootstrapper Agent.
Parent node for configuring agent that orchestrates provisioning and communicate status to Device Preparation page.
<!-- Device-BootstrapperAgent-Description-End -->
<!-- Device-BootstrapperAgent-Editable-Begin -->
@ -77,45 +76,6 @@ The subnodes configure settings for the Bootstrapper Agent.
<!-- Device-BootstrapperAgent-End -->
<!-- Device-BootstrapperAgent-ClassID-Begin -->
### BootstrapperAgent/ClassID
<!-- Device-BootstrapperAgent-ClassID-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-BootstrapperAgent-ClassID-Applicability-End -->
<!-- Device-BootstrapperAgent-ClassID-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ClassID
```
<!-- Device-BootstrapperAgent-ClassID-OmaUri-End -->
<!-- Device-BootstrapperAgent-ClassID-Description-Begin -->
<!-- Description-Source-DDF -->
This node stores the class ID for the Bootstrapper Agent WinRT object.
<!-- Device-BootstrapperAgent-ClassID-Description-End -->
<!-- Device-BootstrapperAgent-ClassID-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-BootstrapperAgent-ClassID-Editable-End -->
<!-- Device-BootstrapperAgent-ClassID-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get, Replace |
<!-- Device-BootstrapperAgent-ClassID-DFProperties-End -->
<!-- Device-BootstrapperAgent-ClassID-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-BootstrapperAgent-ClassID-Examples-End -->
<!-- Device-BootstrapperAgent-ClassID-End -->
<!-- Device-BootstrapperAgent-ExecutionContext-Begin -->
### BootstrapperAgent/ExecutionContext
@ -155,85 +115,6 @@ This node holds opaque data that will be passed to the Bootstrapper Agent as a p
<!-- Device-BootstrapperAgent-ExecutionContext-End -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-Begin -->
### BootstrapperAgent/InstallationStatusUri
<!-- Device-BootstrapperAgent-InstallationStatusUri-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-BootstrapperAgent-InstallationStatusUri-Applicability-End -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/InstallationStatusUri
```
<!-- Device-BootstrapperAgent-InstallationStatusUri-OmaUri-End -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-Description-Begin -->
<!-- Description-Source-DDF -->
This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
<!-- Device-BootstrapperAgent-InstallationStatusUri-Description-End -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-Editable-End -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get, Replace |
<!-- Device-BootstrapperAgent-InstallationStatusUri-DFProperties-End -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-Examples-End -->
<!-- Device-BootstrapperAgent-InstallationStatusUri-End -->
<!-- Device-MdmAgentInstalled-Begin -->
## MdmAgentInstalled
<!-- Device-MdmAgentInstalled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-MdmAgentInstalled-Applicability-End -->
<!-- Device-MdmAgentInstalled-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled
```
<!-- Device-MdmAgentInstalled-OmaUri-End -->
<!-- Device-MdmAgentInstalled-Description-Begin -->
<!-- Description-Source-DDF -->
This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
<!-- Device-MdmAgentInstalled-Description-End -->
<!-- Device-MdmAgentInstalled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MdmAgentInstalled-Editable-End -->
<!-- Device-MdmAgentInstalled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Get, Replace |
| Default Value | false |
<!-- Device-MdmAgentInstalled-DFProperties-End -->
<!-- Device-MdmAgentInstalled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MdmAgentInstalled-Examples-End -->
<!-- Device-MdmAgentInstalled-End -->
<!-- Device-MDMProvider-Begin -->
## MDMProvider
@ -251,7 +132,7 @@ This node indicates whether the MDM agent was installed or not. When set to true
<!-- Device-MDMProvider-Description-Begin -->
<!-- Description-Source-DDF -->
The subnode configures the settings for the MDMProvider.
Parent node for configuring the MDM provider that interacts with the BootstrapperAgent.
<!-- Device-MDMProvider-Description-End -->
<!-- Device-MDMProvider-Editable-Begin -->
@ -273,6 +154,46 @@ The subnode configures the settings for the MDMProvider.
<!-- Device-MDMProvider-End -->
<!-- Device-MDMProvider-MdmAgentInstalled-Begin -->
### MDMProvider/MdmAgentInstalled
<!-- Device-MDMProvider-MdmAgentInstalled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-MDMProvider-MdmAgentInstalled-Applicability-End -->
<!-- Device-MDMProvider-MdmAgentInstalled-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MDMProvider/MdmAgentInstalled
```
<!-- Device-MDMProvider-MdmAgentInstalled-OmaUri-End -->
<!-- Device-MDMProvider-MdmAgentInstalled-Description-Begin -->
<!-- Description-Source-DDF -->
This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
<!-- Device-MDMProvider-MdmAgentInstalled-Description-End -->
<!-- Device-MDMProvider-MdmAgentInstalled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MDMProvider-MdmAgentInstalled-Editable-End -->
<!-- Device-MDMProvider-MdmAgentInstalled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Get, Replace |
| Default Value | False |
<!-- Device-MDMProvider-MdmAgentInstalled-DFProperties-End -->
<!-- Device-MDMProvider-MdmAgentInstalled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MDMProvider-MdmAgentInstalled-Examples-End -->
<!-- Device-MDMProvider-MdmAgentInstalled-End -->
<!-- Device-MDMProvider-Progress-Begin -->
### MDMProvider/Progress
@ -290,7 +211,7 @@ The subnode configures the settings for the MDMProvider.
<!-- Device-MDMProvider-Progress-Description-Begin -->
<!-- Description-Source-DDF -->
Node for reporting progress status as opaque data.
Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data.
<!-- Device-MDMProvider-Progress-Description-End -->
<!-- Device-MDMProvider-Progress-Editable-Begin -->
@ -303,7 +224,7 @@ Node for reporting progress status as opaque data.
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get, Replace |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-MDMProvider-Progress-DFProperties-End -->
<!-- Device-MDMProvider-Progress-Examples-Begin -->
@ -312,6 +233,46 @@ Node for reporting progress status as opaque data.
<!-- Device-MDMProvider-Progress-End -->
<!-- Device-MDMProvider-RebootRequired-Begin -->
### MDMProvider/RebootRequired
<!-- Device-MDMProvider-RebootRequired-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-MDMProvider-RebootRequired-Applicability-End -->
<!-- Device-MDMProvider-RebootRequired-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MDMProvider/RebootRequired
```
<!-- Device-MDMProvider-RebootRequired-OmaUri-End -->
<!-- Device-MDMProvider-RebootRequired-Description-Begin -->
<!-- Description-Source-DDF -->
This node indicates whether an MDM policy was provisioned that requires a reboot.
<!-- Device-MDMProvider-RebootRequired-Description-End -->
<!-- Device-MDMProvider-RebootRequired-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MDMProvider-RebootRequired-Editable-End -->
<!-- Device-MDMProvider-RebootRequired-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Get |
| Default Value | False |
<!-- Device-MDMProvider-RebootRequired-DFProperties-End -->
<!-- Device-MDMProvider-RebootRequired-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MDMProvider-RebootRequired-Examples-End -->
<!-- Device-MDMProvider-RebootRequired-End -->
<!-- Device-PageEnabled-Begin -->
## PageEnabled
@ -329,7 +290,7 @@ Node for reporting progress status as opaque data.
<!-- Device-PageEnabled-Description-Begin -->
<!-- Description-Source-DDF -->
This node determines whether to enable or show the Device Preparation page.
This node determines whether to show the Device Preparation page during OOBE.
<!-- Device-PageEnabled-Description-End -->
<!-- Device-PageEnabled-Editable-Begin -->
@ -346,15 +307,6 @@ This node determines whether to enable or show the Device Preparation page.
| Default Value | false |
<!-- Device-PageEnabled-DFProperties-End -->
<!-- Device-PageEnabled-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | The page isn't enabled. |
| true | The page is enabled. |
<!-- Device-PageEnabled-AllowedValues-End -->
<!-- Device-PageEnabled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-PageEnabled-Examples-End -->
@ -378,7 +330,7 @@ This node determines whether to enable or show the Device Preparation page.
<!-- Device-PageSettings-Description-Begin -->
<!-- Description-Source-DDF -->
This node configures specific settings for the Device Preparation page.
This node configures the Device Preparation page settings.
<!-- Device-PageSettings-Description-End -->
<!-- Device-PageSettings-Editable-Begin -->
@ -417,7 +369,7 @@ This node configures specific settings for the Device Preparation page.
<!-- Device-PageStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
This node provides status of the Device Preparation page.
<!-- Device-PageStatus-Description-End -->
<!-- Device-PageStatus-Editable-Begin -->
@ -441,8 +393,8 @@ This node provides status of the Device Preparation page. Values are an enum: 0
| 0 | Disabled. |
| 1 | Enabled. |
| 2 | InProgress. |
| 3 | Succeeded. |
| 4 | Failed. |
| 3 | ExitOnSuccess. |
| 4 | ExitOnFailure. |
<!-- Device-PageStatus-AllowedValues-End -->
<!-- Device-PageStatus-Examples-Begin -->

155
windows/client-management/mdm/devicepreparation-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -31,7 +31,7 @@ The following XML file contains the device description framework (DDF) for the D
<AccessType>
<Get />
</AccessType>
<Description>Parent node for the CSP.</Description>
<Description>Parent node for configuring the Device Preparation page in OOBE settings and configuring </Description>
<DFFormat>
<node />
</DFFormat>
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D
<Permanent />
</Scope>
<DFType>
<DDFName />
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
@ -58,7 +58,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node determines whether to enable or show the Device Preparation page.</Description>
<Description>This node determines whether to show the Device Preparation page during OOBE.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -71,16 +71,6 @@ The following XML file contains the device description framework (DDF) for the D
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>The page is not enabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>The page is enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
@ -90,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<Description>This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.</Description>
<Description>This node provides status of the Device Preparation page. </Description>
<DFFormat>
<int />
</DFFormat>
@ -118,11 +108,11 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Succeeded</MSFT:ValueDescription>
<MSFT:ValueDescription>ExitOnSuccess</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Failed</MSFT:ValueDescription>
<MSFT:ValueDescription>ExitOnFailure</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -134,7 +124,7 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<Description>This node configures specific settings for the Device Preparation page.</Description>
<Description>This node configures the Device Preparation page settings.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -147,7 +137,8 @@ The following XML file contains the device description framework (DDF) for the D
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
<MSFT:AllowedValues ValueType="JSON">
<MSFT:Value>{"AgentDownloadTimeoutSeconds": 900, "PageTimeoutSeconds": 3600, "ErrorMessage": "This is an error message.", "AllowSkipOnFailure": true, "AllowDiagnostics": true }</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
@ -157,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the D
<AccessType>
<Get />
</AccessType>
<Description>The subnodes configure settings for the Bootstrapper Agent.</Description>
<Description>Parent node for configuring agent that orchestrage provioning and communicate status to Device Preparation page.</Description>
<DFFormat>
<node />
</DFFormat>
@ -171,30 +162,6 @@ The following XML file contains the device description framework (DDF) for the D
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>ClassID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>This node stores the class ID for the Bootstrapper Agent WinRT object.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ExecutionContext</NodeName>
<DFProperties>
@ -215,32 +182,6 @@ The following XML file contains the device description framework (DDF) for the D
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>InstallationStatusUri</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
@ -250,7 +191,7 @@ The following XML file contains the device description framework (DDF) for the D
<AccessType>
<Get />
</AccessType>
<Description>The subnode configures the settings for the MDMProvider.</Description>
<Description>Parent node for configuring the MDM provider that interacts with the BootstrapperAgent. </Description>
<DFFormat>
<node />
</DFFormat>
@ -268,10 +209,12 @@ The following XML file contains the device description framework (DDF) for the D
<NodeName>Progress</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Noode for reporting progress status as opaque data.</Description>
<Description>Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data. </Description>
<DFFormat>
<chr />
</DFFormat>
@ -286,29 +229,51 @@ The following XML file contains the device description framework (DDF) for the D
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MdmAgentInstalled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
<Node>
<NodeName>MdmAgentInstalled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>This node indicates whether the mdm agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RebootRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>This node indicates whether an MDM policy was provisioned that requires a reboot.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>

4
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DiagnosticLog CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -182,7 +182,7 @@ This node is to trigger snapping of the Device Management state data with "SNAP"
<!-- Device-DiagnosticArchive-Description-Begin -->
<!-- Description-Source-DDF -->
Root note for archive definition and collection.
Root node for archive definition and collection.
<!-- Device-DiagnosticArchive-Description-End -->
<!-- Device-DiagnosticArchive-Editable-Begin -->

4
windows/client-management/mdm/dmacc-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DMAcc CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -751,7 +751,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types
<!-- Device-{AccountUID}-AppID-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies the application identifier for the OMA DM account.. The only supported value is w7.
Specifies the application identifier for the OMA DM account. The only supported value is w7.
<!-- Device-{AccountUID}-AppID-Description-End -->
<!-- Device-{AccountUID}-AppID-Editable-Begin -->

4
windows/client-management/mdm/dmclient-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/24/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -4576,7 +4576,7 @@ This node, when doing a get, tells the server if the "First Syncs" are done and
| Value | Description |
|:--|:--|
| false | The user isn't finished provisioning. |
| false | The user hasn't finished provisioning. |
| true | The user has finished provisioning. |
<!-- User-Provider-{ProviderID}-FirstSyncStatus-IsSyncDone-AllowedValues-End -->

16
windows/client-management/mdm/dmclient-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 09/27/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -341,11 +341,11 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>The user is not finished provisioning</MSFT:ValueDescription>
<MSFT:ValueDescription>The user has not finished provisioning</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>The user has finished provisoining.</MSFT:ValueDescription>
<MSFT:ValueDescription>The user has finished provisioning.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -381,7 +381,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Provisoining is in progress.</MSFT:ValueDescription>
<MSFT:ValueDescription>Provisioning is in progress.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -1264,7 +1264,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer toekn).</MSFT:ValueDescription>
<MSFT:ValueDescription>Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer token).</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
@ -2020,7 +2020,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>The device has finished provisoining.</MSFT:ValueDescription>
<MSFT:ValueDescription>The device has finished provisioning.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -2056,7 +2056,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Provisoining is in progress.</MSFT:ValueDescription>
<MSFT:ValueDescription>Provisioning is in progress.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
@ -2679,7 +2679,7 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<Description>Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an rmpty string with S_OK. </Description>
<Description>Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an empty string with S_OK. </Description>
<DFFormat>
<chr />
</DFFormat>

4
windows/client-management/mdm/firewall-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2151,7 +2151,7 @@ When setting this field in a firewall rule, the protocol field must also be set,
<!-- Description-Source-DDF -->
Specifies the list of authorized local users for the app container.
This is a string in Security Descriptor Definition Language (SDDL) format\.
This is a string in Security Descriptor Definition Language (SDDL) format.
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalUserAuthorizedList-Description-End -->
<!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalUserAuthorizedList-Editable-Begin -->

11
windows/client-management/mdm/index.yml
View File

@ -1,21 +1,20 @@
### YamlMime:Landing
title: Configuration Service Provider # < 60 chars
summary: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # < 160 chars
summary: Learn more about the configuration service provider (CSP) policies available on Windows devices. # < 160 chars
metadata:
title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
description: Learn more about the configuration service provider (CSP) policies available on Windows devices. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page
ms.technology: itpro-manage
ms.prod: windows-client
ms.collection:
- highpri
- tier1
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.date: 08/04/2022
ms.date: 10/25/2023
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -35,8 +34,8 @@ landingContent:
url: configuration-service-provider-ddf.md
- text: BitLocker CSP
url: bitlocker-csp.md
- text: DynamicManagement CSP
url: dynamicmanagement-csp.md
- text: Declared Configuration protocol
url: ../declared-configuration.md
# Card (optional)

6
windows/client-management/mdm/passportforwork-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -253,8 +253,8 @@ Don't start Windows Hello provisioning after sign-in.
| Value | Description |
|:--|:--|
| false (Default) | Disabled. |
| true | Enabled. |
| false (Default) | Post Logon Provisioning Enabled. |
| true | Post Logon Provisioning Disabled. |
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-AllowedValues-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Examples-Begin -->

6
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -883,11 +883,11 @@ If you disable or do not configure this policy setting, the PIN recovery secret
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
<MSFT:ValueDescription>Post Logon Provisioning Enabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
<MSFT:ValueDescription>Post Logon Provisioning Disabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>

133
windows/client-management/mdm/personalization-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Personalization CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 10/26/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,24 +16,147 @@ ms.topic: reference
<!-- Personalization-Begin -->
# Personalization CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Personalization-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
> [!IMPORTANT]
> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#boottocloudpcenhanced).
<!-- Personalization-Editable-End -->
<!-- Personalization-Tree-Begin -->
The following list shows the Personalization configuration service provider nodes:
- ./Vendor/MSFT/Personalization
- [CompanyLogoStatus](#companylogostatus)
- [CompanyLogoUrl](#companylogourl)
- [CompanyName](#companyname)
- [DesktopImageStatus](#desktopimagestatus)
- [DesktopImageUrl](#desktopimageurl)
- [LockScreenImageStatus](#lockscreenimagestatus)
- [LockScreenImageUrl](#lockscreenimageurl)
<!-- Personalization-Tree-End -->
<!-- Device-CompanyLogoStatus-Begin -->
## CompanyLogoStatus
<!-- Device-CompanyLogoStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CompanyLogoStatus-Applicability-End -->
<!-- Device-CompanyLogoStatus-OmaUri-Begin -->
```Device
./Vendor/MSFT/Personalization/CompanyLogoStatus
```
<!-- Device-CompanyLogoStatus-OmaUri-End -->
<!-- Device-CompanyLogoStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.
<!-- Device-CompanyLogoStatus-Description-End -->
<!-- Device-CompanyLogoStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CompanyLogoStatus-Editable-End -->
<!-- Device-CompanyLogoStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get |
<!-- Device-CompanyLogoStatus-DFProperties-End -->
<!-- Device-CompanyLogoStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CompanyLogoStatus-Examples-End -->
<!-- Device-CompanyLogoStatus-End -->
<!-- Device-CompanyLogoUrl-Begin -->
## CompanyLogoUrl
<!-- Device-CompanyLogoUrl-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CompanyLogoUrl-Applicability-End -->
<!-- Device-CompanyLogoUrl-OmaUri-Begin -->
```Device
./Vendor/MSFT/Personalization/CompanyLogoUrl
```
<!-- Device-CompanyLogoUrl-OmaUri-End -->
<!-- Device-CompanyLogoUrl-Description-Begin -->
<!-- Description-Source-DDF -->
An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
<!-- Device-CompanyLogoUrl-Description-End -->
<!-- Device-CompanyLogoUrl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CompanyLogoUrl-Editable-End -->
<!-- Device-CompanyLogoUrl-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-CompanyLogoUrl-DFProperties-End -->
<!-- Device-CompanyLogoUrl-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CompanyLogoUrl-Examples-End -->
<!-- Device-CompanyLogoUrl-End -->
<!-- Device-CompanyName-Begin -->
## CompanyName
<!-- Device-CompanyName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-CompanyName-Applicability-End -->
<!-- Device-CompanyName-OmaUri-Begin -->
```Device
./Vendor/MSFT/Personalization/CompanyName
```
<!-- Device-CompanyName-OmaUri-End -->
<!-- Device-CompanyName-Description-Begin -->
<!-- Description-Source-DDF -->
The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
<!-- Device-CompanyName-Description-End -->
<!-- Device-CompanyName-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-CompanyName-Editable-End -->
<!-- Device-CompanyName-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: `^.{1,30}$` |
<!-- Device-CompanyName-DFProperties-End -->
<!-- Device-CompanyName-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-CompanyName-Examples-End -->
<!-- Device-CompanyName-End -->
<!-- Device-DesktopImageStatus-Begin -->
## DesktopImageStatus
@ -90,7 +213,7 @@ This represents the status of the DesktopImage. 1 - Successfully downloaded or c
<!-- Device-DesktopImageUrl-Description-Begin -->
<!-- Description-Source-DDF -->
A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
<!-- Device-DesktopImageUrl-Description-End -->
<!-- Device-DesktopImageUrl-Editable-Begin -->
@ -168,7 +291,7 @@ This represents the status of the LockScreenImage. 1 - Successfully downloaded o
<!-- Device-LockScreenImageUrl-Description-Begin -->
<!-- Description-Source-DDF -->
A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
<!-- Device-LockScreenImageUrl-Description-End -->
<!-- Device-LockScreenImageUrl-Editable-Begin -->

90
windows/client-management/mdm/personalization-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 06/02/2023
ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the P
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -146,6 +146,92 @@ The following XML file contains the device description framework (DDF) for the P
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CompanyLogoUrl</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>CompanyLogoStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>CompanyName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>2.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^.{1,30}$</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

10
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -2145,6 +2145,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [EnableAllowedSources](policy-csp-desktopappinstaller.md)
- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md)
## DeviceInstallation
@ -2475,11 +2476,12 @@ This article lists the ADMX-backed policies in Policy CSP.
## MSSecurityGuide
- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md)
- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md)
- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md)
- [WDigestAuthentication](policy-csp-mssecurityguide.md)
- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md)
- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md)
- [WDigestAuthentication](policy-csp-mssecurityguide.md)
## MSSLegacy
@ -2530,6 +2532,8 @@ This article lists the ADMX-backed policies in Policy CSP.
## RemoteDesktopServices
- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md)
- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md)
- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md)
- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md)
- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md)

22
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -691,8 +691,24 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## SystemServices
- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md)
- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md)
@ -829,6 +845,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [LogOnAsService](policy-csp-userrights.md)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md)
- [DenyLogOnAsService](policy-csp-userrights.md)
- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md)
- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md)
## VirtualizationBasedTechnology
@ -895,6 +913,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowVideoInput](policy-csp-windowssandbox.md)
- [AllowPrinterRedirection](policy-csp-windowssandbox.md)
- [AllowClipboardRedirection](policy-csp-windowssandbox.md)
- [AllowMappedFolders](policy-csp-windowssandbox.md)
- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md)
## WirelessDisplay

6
windows/client-management/mdm/policy-csp-admx-eventlog.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventLog Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -955,9 +955,9 @@ This policy setting controls Event Log behavior when the log file reaches its ma
<!-- Description-Source-ADMX -->
This policy setting turns on logging.
If you enable or don't configure this policy setting, then events can be written to this log.
- If you enable or don't configure this policy setting, then events can be written to this log.
If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
- If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
<!-- Channel_LogEnabled-Description-End -->
<!-- Channel_LogEnabled-Editable-Begin -->

20
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/30/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -838,7 +838,7 @@ Microsoft Defender Antivirus automatically determines which applications should
Enabled:
Specify additional allowed applications in the Options section..
Specify additional allowed applications in the Options section.
Disabled:
@ -1283,12 +1283,12 @@ This policy, if defined, will prevent antimalware from using the configured prox
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
2. Proxy .pac URL (if specified)
1. Proxy .pac URL (if specified)
3. None
4. Internet Explorer proxy settings.
1. None
1. Internet Explorer proxy settings.
5. Autodetect.
1. Autodetect.
- If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
@ -1349,12 +1349,12 @@ This policy setting defines the URL of a proxy .pac file that should be used whe
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
2. Proxy .pac URL (if specified)
1. Proxy .pac URL (if specified)
3. None
4. Internet Explorer proxy settings.
1. None
1. Internet Explorer proxy settings.
5. Autodetect.
1. Autodetect.
- If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either https:// or https://.

14
windows/client-management/mdm/policy-csp-admx-msi.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -668,11 +668,13 @@ Also, see the "Enable user to patch elevated products" policy setting.
<!-- Description-Source-ADMX -->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
This policy setting appears in the Computer Configuration and User Configuration folders.
- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
<!-- DisableRollback_1-Description-End -->
<!-- DisableRollback_1-Editable-Begin -->
@ -729,11 +731,13 @@ This policy setting appears in the Computer Configuration and User Configuration
<!-- Description-Source-ADMX -->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
This policy setting appears in the Computer Configuration and User Configuration folders.
- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
<!-- DisableRollback_2-Description-End -->
<!-- DisableRollback_2-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-admx-nca.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_nca Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -53,9 +53,9 @@ Important.
At least one of the entries must be a PING: resource.
- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
You must configure this setting to have complete NCA functionality.
<!-- CorporateResources-Description-End -->

6
windows/client-management/mdm/policy-csp-admx-offlinefiles.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/23/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1939,7 +1939,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
> [!TIP]
> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
<!-- Pol_ReminderFreq_1-Description-End -->
<!-- Pol_ReminderFreq_1-Editable-Begin -->
@ -2002,7 +2002,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
> [!TIP]
> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
<!-- Pol_ReminderFreq_2-Description-End -->
<!-- Pol_ReminderFreq_2-Editable-Begin -->

10
windows/client-management/mdm/policy-csp-admx-securitycenter.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Securitycenter Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -48,14 +48,6 @@ Note that Security Center can only be turned off for computers that are joined t
- If you enable this policy setting, Security Center is turned on for all users.
- If you disable this policy setting, Security Center is turned off for domain members.
Windows XP SP2
----------------------
In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers.
Windows Vista
---------------------
In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers don't require a reboot for this policy setting to take effect.
<!-- SecurityCenter_SecurityCenterInDomain-Description-End -->
<!-- SecurityCenter_SecurityCenterInDomain-Editable-Begin -->

52
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/24/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1362,13 +1362,13 @@ You can use this policy setting to set a limit on the color depth of any connect
Note:
1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
2. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
1. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
1. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client.
a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client.
If the client doesn't support at least 16 bits, the connection is terminated.
<!-- TS_COLORDEPTH-Description-End -->
@ -2130,19 +2130,19 @@ To allow users to overwrite the "Set RD Gateway server address" policy setting a
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server.
If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
- If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed. If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed.
- If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
If the policy setting isn't configured, the policy setting isn't specified at the Group Policy level.
Note:
1.
1. - If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
<!-- TS_JOIN_SESSION_DIRECTORY-Description-End -->
<!-- TS_JOIN_SESSION_DIRECTORY-Editable-Begin -->
@ -2330,7 +2330,7 @@ This policy setting allows you to specify the order in which an RD Session Host
1. Remote Desktop license servers that are published in Active Directory Domain Services.
2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
1. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
- If you disable or don't configure this policy setting, the RD Session Host server doesn't specify a license server at the Group Policy level.
<!-- TS_LICENSE_SERVERS-Description-End -->
@ -3074,13 +3074,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
<!-- TS_RemoteControl_1-Description-End -->
@ -3141,13 +3141,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
<!-- TS_RemoteControl_2-Description-End -->
@ -3275,7 +3275,7 @@ Note:
1. This policy setting isn't effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy.
2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
<!-- TS_SD_ClustName-Description-End -->
<!-- TS_SD_ClustName-Editable-Begin -->
@ -3404,9 +3404,9 @@ Note:
1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
2. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
1. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
1. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
<!-- TS_SD_Loc-Description-End -->
<!-- TS_SD_Loc-Editable-Begin -->
@ -4075,9 +4075,9 @@ This policy setting allows the administrator to configure the RemoteFX experienc
- If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
1. Let the system choose the experience for the network condition
2. Optimize for server scalability.
1. Optimize for server scalability.
3. Optimize for minimum bandwidth usage.
1. Optimize for minimum bandwidth usage.
- If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition".
<!-- TS_SERVER_PROFILE-Description-End -->
@ -5677,7 +5677,7 @@ Note:
1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session.
2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
1. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
<!-- TS_USER_PROFILES-Description-End -->
<!-- TS_USER_PROFILES-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -158,7 +158,7 @@ To create the SyncML, follow these steps:
<!-- Description-Source-ADMX -->
This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.
Enabling this policy setting enables web-to-app linking so that apps can be launched with an http(s) URI.
Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.

5
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -469,10 +469,7 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
<!-- EnableWebSignIn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!WARNING]
> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Microsoft Entra ID, unless it's used in a limited federated scope.
**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Microsoft Entra credentials, like temporary access pass.
Web sign-in is a credential provider that enables a web-based sign-in experience on Windows devices. Initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only, Web sign-in expanded its capabilities starting in Windows 11, version 22H2 with KB5030310. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in).
> [!NOTE]
> Web sign-in is only supported on Microsoft Entra joined PCs.

6
windows/client-management/mdm/policy-csp-browser.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1044,7 +1044,7 @@ To verify AllowPasswordManager is set to 0 (not allowed):
<!-- AllowPopups-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on..
This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
- If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.
@ -3530,7 +3530,7 @@ Don't enable both this setting and the Keep favorites in sync between Internet E
|:--|:--|
| Name | ConfiguredFavorites |
| Friendly Name | Provision Favorites |
| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.<br> <br> URL can be specified as.<br> <br> 1. HTTP location: https://localhost:8080/URLs.html<br> 2. Local network: \\network\shares\URLs.html.<br> <br> 3. Local file: file:///c:\\Users\\`<user>`\\Documents\\URLs.html or C:\\Users\\`<user>`\\Documents\\URLs.html. |
| Element Name | ConfiguredFavoritesPrompt |
| Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites |

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/23/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1350,7 +1350,7 @@ Microsoft Defender Antivirus automatically determines which applications should
Enabled:
Specify additional allowed applications in the Options section..
Specify additional allowed applications in the Options section.
Disabled:

14
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -1697,8 +1697,8 @@ This policy allows an IT Admin to define the following details:
<!-- DOVpnKeywords-OmaUri-End -->
<!-- DOVpnKeywords-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows you to set one or more keywords used to recognize VPN connections.
<!-- Description-Source-ADMX -->
This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
<!-- DOVpnKeywords-Description-End -->
<!-- DOVpnKeywords-Editable-Begin -->
@ -1721,8 +1721,12 @@ This policy allows you to set one or more keywords used to recognize VPN connect
| Name | Value |
|:--|:--|
| Name | VpnKeywords |
| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat |
| Element Name | VpnKeywords |
| Friendly Name | VPN Keywords |
| Element Name | VPN Keywords. |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
| ADMX File Name | DeliveryOptimization.admx |
<!-- DOVpnKeywords-GpMapping-End -->
<!-- DOVpnKeywords-Examples-Begin -->

52
windows/client-management/mdm/policy-csp-desktopappinstaller.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -775,6 +775,56 @@ The settings are stored inside of a .json file on the users system. It may be
<!-- EnableWindowsPackageManagerCommandLineInterfaces-End -->
<!-- EnableWindowsPackageManagerConfiguration-Begin -->
## EnableWindowsPackageManagerConfiguration
<!-- EnableWindowsPackageManagerConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- EnableWindowsPackageManagerConfiguration-Applicability-End -->
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerConfiguration
```
<!-- EnableWindowsPackageManagerConfiguration-OmaUri-End -->
<!-- EnableWindowsPackageManagerConfiguration-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- EnableWindowsPackageManagerConfiguration-Description-End -->
<!-- EnableWindowsPackageManagerConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableWindowsPackageManagerConfiguration-Editable-End -->
<!-- EnableWindowsPackageManagerConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableWindowsPackageManagerConfiguration-DFProperties-End -->
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnableWindowsPackageManagerConfiguration |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-End -->
<!-- EnableWindowsPackageManagerConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableWindowsPackageManagerConfiguration-Examples-End -->
<!-- EnableWindowsPackageManagerConfiguration-End -->
<!-- SourceAutoUpdateInterval-Begin -->
## SourceAutoUpdateInterval

16
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -365,26 +365,26 @@ Device instance IDs > Device IDs > Device setup class > Removable devices.
Device instance IDs.
1. Prevent installation of devices using drivers that match these device instance IDs
2. Allow installation of devices using drivers that match these device instance IDs.
1. Allow installation of devices using drivers that match these device instance IDs.
Device IDs.
3. Prevent installation of devices using drivers that match these device IDs
4. Allow installation of devices using drivers that match these device IDs.
1. Prevent installation of devices using drivers that match these device IDs
1. Allow installation of devices using drivers that match these device IDs.
Device setup class.
5. Prevent installation of devices using drivers that match these device setup classes
6. Allow installation of devices using drivers that match these device setup classes.
1. Prevent installation of devices using drivers that match these device setup classes
1. Allow installation of devices using drivers that match these device setup classes.
Removable devices.
7. Prevent installation of removable devices.
1. Prevent installation of removable devices.
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..". policy settings have precedence over any other policy setting that allows Windows to install a device.
If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation.". policy settings have precedence over any other policy setting that allows Windows to install a device.
<!-- EnableInstallationPolicyLayering-Description-End -->
<!-- EnableInstallationPolicyLayering-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -4132,7 +4132,7 @@ User Account Control: Only elevate executable files that are signed and validate
<!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ - ...\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ..\Program Files\, including subfolders - ..\Windows\system32\ - ..\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
<!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Description-End -->
<!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Editable-Begin -->

52
windows/client-management/mdm/policy-csp-mssecurityguide.md
View File

@ -4,7 +4,7 @@ description: Learn more about the MSSecurityGuide Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -222,6 +222,56 @@ ms.topic: reference
<!-- EnableStructuredExceptionHandlingOverwriteProtection-End -->
<!-- NetBTNodeTypeConfiguration-Begin -->
## NetBTNodeTypeConfiguration
<!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- NetBTNodeTypeConfiguration-Applicability-End -->
<!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/NetBTNodeTypeConfiguration
```
<!-- NetBTNodeTypeConfiguration-OmaUri-End -->
<!-- NetBTNodeTypeConfiguration-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- NetBTNodeTypeConfiguration-Description-End -->
<!-- NetBTNodeTypeConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NetBTNodeTypeConfiguration-Editable-End -->
<!-- NetBTNodeTypeConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- NetBTNodeTypeConfiguration-DFProperties-End -->
<!-- NetBTNodeTypeConfiguration-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Pol_SecGuide_0050_NetbtNodeTypeConfig |
| ADMX File Name | SecGuide.admx |
<!-- NetBTNodeTypeConfiguration-AdmxBacked-End -->
<!-- NetBTNodeTypeConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- NetBTNodeTypeConfiguration-Examples-End -->
<!-- NetBTNodeTypeConfiguration-End -->
<!-- TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications-Begin -->
## TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications

112
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -4,7 +4,7 @@ description: Learn more about the RemoteDesktopServices Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- RemoteDesktopServices-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RemoteDesktopServices-Editable-End -->
@ -338,6 +340,114 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
<!-- DoNotAllowWebAuthnRedirection-End -->
<!-- LimitClientToServerClipboardRedirection-Begin -->
## LimitClientToServerClipboardRedirection
<!-- LimitClientToServerClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- LimitClientToServerClipboardRedirection-Applicability-End -->
<!-- LimitClientToServerClipboardRedirection-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
```
```Device
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
```
<!-- LimitClientToServerClipboardRedirection-OmaUri-End -->
<!-- LimitClientToServerClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- LimitClientToServerClipboardRedirection-Description-End -->
<!-- LimitClientToServerClipboardRedirection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LimitClientToServerClipboardRedirection-Editable-End -->
<!-- LimitClientToServerClipboardRedirection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- LimitClientToServerClipboardRedirection-DFProperties-End -->
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
| ADMX File Name | terminalserver.admx |
<!-- LimitClientToServerClipboardRedirection-AdmxBacked-End -->
<!-- LimitClientToServerClipboardRedirection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LimitClientToServerClipboardRedirection-Examples-End -->
<!-- LimitClientToServerClipboardRedirection-End -->
<!-- LimitServerToClientClipboardRedirection-Begin -->
## LimitServerToClientClipboardRedirection
<!-- LimitServerToClientClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- LimitServerToClientClipboardRedirection-Applicability-End -->
<!-- LimitServerToClientClipboardRedirection-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
```
```Device
./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
```
<!-- LimitServerToClientClipboardRedirection-OmaUri-End -->
<!-- LimitServerToClientClipboardRedirection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- LimitServerToClientClipboardRedirection-Description-End -->
<!-- LimitServerToClientClipboardRedirection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LimitServerToClientClipboardRedirection-Editable-End -->
<!-- LimitServerToClientClipboardRedirection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- LimitServerToClientClipboardRedirection-DFProperties-End -->
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
| ADMX File Name | terminalserver.admx |
<!-- LimitServerToClientClipboardRedirection-AdmxBacked-End -->
<!-- LimitServerToClientClipboardRedirection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LimitServerToClientClipboardRedirection-Examples-End -->
<!-- LimitServerToClientClipboardRedirection-End -->
<!-- PromptForPasswordUponConnection-Begin -->
## PromptForPasswordUponConnection

26
windows/client-management/mdm/policy-csp-system.md
View File

@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/30/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -118,7 +118,7 @@ AllowCommercialDataPipeline configures a Microsoft Entra joined device so that M
To enable this behavior:
1. Enable this policy setting
2. Join a Microsoft Entra account to the device.
1. Join a Microsoft Entra account to the device.
Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
@ -198,10 +198,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
2. Join a Microsoft Entra account to the device.
1. Join a Microsoft Entra account to the device.
3. Set Allow Telemetry to value 1 - Required, or higher
4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
1. Set Allow Telemetry to value 1 - Required, or higher
1. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@ -762,10 +762,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
2. Join a Microsoft Entra account to the device.
1. Join a Microsoft Entra account to the device.
3. Set Allow Telemetry to value 1 - Required, or higher
4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
1. Set Allow Telemetry to value 1 - Required, or higher
1. Set the Configure the Commercial ID setting for your Update Compliance workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@ -889,9 +889,9 @@ This policy setting configures a Microsoft Entra joined device so that Microsoft
To enable this behavior:
1. Enable this policy setting
2. Join a Microsoft Entra account to the device.
1. Join a Microsoft Entra account to the device.
3. Set Allow Telemetry to value 1 - Required, or higher.
1. Set Allow Telemetry to value 1 - Required, or higher.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@ -1999,10 +1999,10 @@ This policy setting, in combination with the "Allow Diagnostic Data" policy sett
To enable the behavior described above, complete the following steps:
1. Enable this policy setting
2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
1. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
3. Enable the "Limit Dump Collection" policy
4. Enable the "Limit Diagnostic Log Collection" policy.
1. Enable the "Limit Dump Collection" policy
1. Enable the "Limit Diagnostic Log Collection" policy.
When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at< https://go.microsoft.com/fwlink/?linkid=2116020>.

802
windows/client-management/mdm/policy-csp-systemservices.md
View File

@ -4,7 +4,7 @@ description: Learn more about the SystemServices Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -20,6 +20,56 @@ ms.topic: reference
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SystemServices-Editable-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-Begin -->
## ConfigureComputerBrowserServiceStartupMode
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureComputerBrowserServiceStartupMode-Applicability-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureComputerBrowserServiceStartupMode
```
<!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureComputerBrowserServiceStartupMode-Description-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureComputerBrowserServiceStartupMode-Editable-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureComputerBrowserServiceStartupMode-DFProperties-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Computer Browser |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureComputerBrowserServiceStartupMode-GpMapping-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureComputerBrowserServiceStartupMode-Examples-End -->
<!-- ConfigureComputerBrowserServiceStartupMode-End -->
<!-- ConfigureHomeGroupListenerServiceStartupMode-Begin -->
## ConfigureHomeGroupListenerServiceStartupMode
@ -120,6 +170,756 @@ This setting determines whether the service's start type is Automatic(2), Manual
<!-- ConfigureHomeGroupProviderServiceStartupMode-End -->
<!-- ConfigureIISAdminServiceStartupMode-Begin -->
## ConfigureIISAdminServiceStartupMode
<!-- ConfigureIISAdminServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureIISAdminServiceStartupMode-Applicability-End -->
<!-- ConfigureIISAdminServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureIISAdminServiceStartupMode
```
<!-- ConfigureIISAdminServiceStartupMode-OmaUri-End -->
<!-- ConfigureIISAdminServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureIISAdminServiceStartupMode-Description-End -->
<!-- ConfigureIISAdminServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureIISAdminServiceStartupMode-Editable-End -->
<!-- ConfigureIISAdminServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureIISAdminServiceStartupMode-DFProperties-End -->
<!-- ConfigureIISAdminServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | IIS Admin Service |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureIISAdminServiceStartupMode-GpMapping-End -->
<!-- ConfigureIISAdminServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureIISAdminServiceStartupMode-Examples-End -->
<!-- ConfigureIISAdminServiceStartupMode-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-Begin -->
## ConfigureInfraredMonitorServiceStartupMode
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInfraredMonitorServiceStartupMode
```
<!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureInfraredMonitorServiceStartupMode-Description-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureInfraredMonitorServiceStartupMode-Editable-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureInfraredMonitorServiceStartupMode-DFProperties-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Infrared Monitor Service |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureInfraredMonitorServiceStartupMode-GpMapping-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureInfraredMonitorServiceStartupMode-Examples-End -->
<!-- ConfigureInfraredMonitorServiceStartupMode-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Begin -->
## ConfigureInternetConnectionSharingServiceStartupMode
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInternetConnectionSharingServiceStartupMode
```
<!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Description-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Editable-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureInternetConnectionSharingServiceStartupMode-DFProperties-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Internet Connection Sharing (ICS) |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureInternetConnectionSharingServiceStartupMode-GpMapping-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-Examples-End -->
<!-- ConfigureInternetConnectionSharingServiceStartupMode-End -->
<!-- ConfigureLxssManagerServiceStartupMode-Begin -->
## ConfigureLxssManagerServiceStartupMode
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureLxssManagerServiceStartupMode-Applicability-End -->
<!-- ConfigureLxssManagerServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureLxssManagerServiceStartupMode
```
<!-- ConfigureLxssManagerServiceStartupMode-OmaUri-End -->
<!-- ConfigureLxssManagerServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureLxssManagerServiceStartupMode-Description-End -->
<!-- ConfigureLxssManagerServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureLxssManagerServiceStartupMode-Editable-End -->
<!-- ConfigureLxssManagerServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureLxssManagerServiceStartupMode-DFProperties-End -->
<!-- ConfigureLxssManagerServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | LxssManager |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureLxssManagerServiceStartupMode-GpMapping-End -->
<!-- ConfigureLxssManagerServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureLxssManagerServiceStartupMode-Examples-End -->
<!-- ConfigureLxssManagerServiceStartupMode-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-Begin -->
## ConfigureMicrosoftFTPServiceStartupMode
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode
```
<!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureMicrosoftFTPServiceStartupMode-Description-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-Editable-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureMicrosoftFTPServiceStartupMode-DFProperties-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Microsoft FTP Service |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureMicrosoftFTPServiceStartupMode-GpMapping-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-Examples-End -->
<!-- ConfigureMicrosoftFTPServiceStartupMode-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Begin -->
## ConfigureRemoteProcedureCallLocatorServiceStartupMode
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode
```
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Description-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Editable-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-DFProperties-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Remote Procedure Call (RPC) Locator |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-GpMapping-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Examples-End -->
<!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Begin -->
## ConfigureRoutingAndRemoteAccessServiceStartupMode
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode
```
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Description-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Editable-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-DFProperties-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Routing and Remote Access |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-GpMapping-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Examples-End -->
<!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-Begin -->
## ConfigureSimpleTCPIPServicesStartupMode
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPServicesStartupMode
```
<!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureSimpleTCPIPServicesStartupMode-Description-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-Editable-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureSimpleTCPIPServicesStartupMode-DFProperties-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Simple TCP/IP Services |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureSimpleTCPIPServicesStartupMode-GpMapping-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-Examples-End -->
<!-- ConfigureSimpleTCPIPServicesStartupMode-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Begin -->
## ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
```
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Description-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Editable-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-DFProperties-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Special Administration Console Helper |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-GpMapping-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Examples-End -->
<!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Begin -->
## ConfigureSSDPDiscoveryServiceStartupMode
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode
```
<!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Description-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Editable-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureSSDPDiscoveryServiceStartupMode-DFProperties-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SSDP Discovery |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureSSDPDiscoveryServiceStartupMode-GpMapping-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-Examples-End -->
<!-- ConfigureSSDPDiscoveryServiceStartupMode-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Begin -->
## ConfigureUPnPDeviceHostServiceStartupMode
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode
```
<!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Description-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Editable-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureUPnPDeviceHostServiceStartupMode-DFProperties-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | UPnP Device Host |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureUPnPDeviceHostServiceStartupMode-GpMapping-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-Examples-End -->
<!-- ConfigureUPnPDeviceHostServiceStartupMode-End -->
<!-- ConfigureWebManagementServiceStartupMode-Begin -->
## ConfigureWebManagementServiceStartupMode
<!-- ConfigureWebManagementServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureWebManagementServiceStartupMode-Applicability-End -->
<!-- ConfigureWebManagementServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWebManagementServiceStartupMode
```
<!-- ConfigureWebManagementServiceStartupMode-OmaUri-End -->
<!-- ConfigureWebManagementServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureWebManagementServiceStartupMode-Description-End -->
<!-- ConfigureWebManagementServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureWebManagementServiceStartupMode-Editable-End -->
<!-- ConfigureWebManagementServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureWebManagementServiceStartupMode-DFProperties-End -->
<!-- ConfigureWebManagementServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Web Management Service |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureWebManagementServiceStartupMode-GpMapping-End -->
<!-- ConfigureWebManagementServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureWebManagementServiceStartupMode-Examples-End -->
<!-- ConfigureWebManagementServiceStartupMode-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Begin -->
## ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
```
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Description-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Editable-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-DFProperties-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Windows Media Player Network Sharing Service |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-GpMapping-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Examples-End -->
<!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Begin -->
## ConfigureWindowsMobileHotspotServiceStartupMode
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode
```
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Description-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Editable-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-DFProperties-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Windows Mobile Hotspot Service |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-GpMapping-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-Examples-End -->
<!-- ConfigureWindowsMobileHotspotServiceStartupMode-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Begin -->
## ConfigureWorldWideWebPublishingServiceStartupMode
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode
```
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Description-Begin -->
<!-- Description-Source-DDF -->
This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Description-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Editable-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[2-4]` |
| Default Value | 3 |
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-DFProperties-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | World Wide Web Publishing Service |
| Path | Windows Settings > Security Settings > System Services |
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-GpMapping-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-Examples-End -->
<!-- ConfigureWorldWideWebPublishingServiceStartupMode-End -->
<!-- ConfigureXboxAccessoryManagementServiceStartupMode-Begin -->
## ConfigureXboxAccessoryManagementServiceStartupMode

12
windows/client-management/mdm/policy-csp-troubleshooting.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Troubleshooting Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -61,15 +61,15 @@ After setting this policy, you can use the following instructions to check devic
rem The following batch script triggers Recommended Troubleshooting schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner".
2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
1. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
1. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
1. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
1. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
6. Configure the task to deploy to your domain.
1. Configure the task to deploy to your domain.
<!-- AllowRecommendations-Description-End -->
<!-- AllowRecommendations-Editable-Begin -->

51
windows/client-management/mdm/policy-csp-update.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 10/03/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -292,8 +292,16 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
<!-- AllowOptionalContent-OmaUri-End -->
<!-- AllowOptionalContent-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
When the policy is configured.
- If "Automatically receive optional updates (including CFRs)" is selected, the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
- If "Automatically receive optional updates" is selected, the device will only get optional cumulative updates automatically, in line with the quality update deferrals.
- If "Users can select which optional updates to receive" is selected, users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle "Get the latest updates as soon as they're available" to automatically receive optional updates and gradual feature rollouts.
<!-- AllowOptionalContent-Description-End -->
<!-- AllowOptionalContent-Editable-Begin -->
@ -327,7 +335,12 @@ This policy enables devices to get optional updates (including gradual feature r
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
| Friendly Name | Enable optional updates |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| Registry Value Name | SetAllowOptionalContent |
| ADMX File Name | WindowsUpdate.admx |
<!-- AllowOptionalContent-GpMapping-End -->
<!-- AllowOptionalContent-Examples-Begin -->
@ -1958,7 +1971,7 @@ If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
<!-- ActiveHoursEnd-Description-End -->
@ -2085,7 +2098,7 @@ If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
<!-- ActiveHoursStart-Description-End -->
@ -3599,7 +3612,7 @@ Enabling either of the following two policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
<!-- AutoRestartDeadlinePeriodInDays-Description-End -->
<!-- AutoRestartDeadlinePeriodInDays-Editable-Begin -->
@ -3664,7 +3677,7 @@ Enabling either of the following two policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
<!-- AutoRestartDeadlinePeriodInDaysForFeatureUpdates-Description-End -->
<!-- AutoRestartDeadlinePeriodInDaysForFeatureUpdates-Editable-Begin -->
@ -4083,9 +4096,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
3. Specify deadline before auto-restart for update installation.
1. Specify deadline before auto-restart for update installation.
<!-- EngagedRestartDeadline-Description-End -->
<!-- EngagedRestartDeadline-Editable-Begin -->
@ -4153,9 +4166,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
3. Specify deadline before auto-restart for update installation.
1. Specify deadline before auto-restart for update installation.
<!-- EngagedRestartDeadlineForFeatureUpdates-Description-End -->
<!-- EngagedRestartDeadlineForFeatureUpdates-Editable-Begin -->
@ -4223,9 +4236,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
3. Specify deadline before auto-restart for update installation.
1. Specify deadline before auto-restart for update installation.
<!-- EngagedRestartSnoozeSchedule-Description-End -->
<!-- EngagedRestartSnoozeSchedule-Editable-Begin -->
@ -4293,9 +4306,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
3. Specify deadline before auto-restart for update installation.
1. Specify deadline before auto-restart for update installation.
<!-- EngagedRestartSnoozeScheduleForFeatureUpdates-Description-End -->
<!-- EngagedRestartSnoozeScheduleForFeatureUpdates-Editable-Begin -->
@ -4363,9 +4376,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
3. Specify deadline before auto-restart for update installation.
1. Specify deadline before auto-restart for update installation.
<!-- EngagedRestartTransitionSchedule-Description-End -->
<!-- EngagedRestartTransitionSchedule-Editable-Begin -->
@ -4433,9 +4446,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time.
1. Always automatically restart at scheduled time.
3. Specify deadline before auto-restart for update installation.
1. Specify deadline before auto-restart for update installation.
<!-- EngagedRestartTransitionScheduleForFeatureUpdates-Description-End -->
<!-- EngagedRestartTransitionScheduleForFeatureUpdates-Editable-Begin -->

100
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -259,6 +259,55 @@ This user right allows a process to impersonate any user without authentication.
<!-- ActAsPartOfTheOperatingSystem-End -->
<!-- AdjustMemoryQuotasForProcess-Begin -->
## AdjustMemoryQuotasForProcess
<!-- AdjustMemoryQuotasForProcess-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AdjustMemoryQuotasForProcess-Applicability-End -->
<!-- AdjustMemoryQuotasForProcess-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/UserRights/AdjustMemoryQuotasForProcess
```
<!-- AdjustMemoryQuotasForProcess-OmaUri-End -->
<!-- AdjustMemoryQuotasForProcess-Description-Begin -->
<!-- Description-Source-DDF -->
Adjust memory quotas for a process - This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
<!-- AdjustMemoryQuotasForProcess-Description-End -->
<!-- AdjustMemoryQuotasForProcess-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AdjustMemoryQuotasForProcess-Editable-End -->
<!-- AdjustMemoryQuotasForProcess-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `0xF000`) |
<!-- AdjustMemoryQuotasForProcess-DFProperties-End -->
<!-- AdjustMemoryQuotasForProcess-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Adjust memory quotas for a process |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
<!-- AdjustMemoryQuotasForProcess-GpMapping-End -->
<!-- AdjustMemoryQuotasForProcess-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AdjustMemoryQuotasForProcess-Examples-End -->
<!-- AdjustMemoryQuotasForProcess-End -->
<!-- AllowLocalLogOn-Begin -->
## AllowLocalLogOn
@ -311,6 +360,55 @@ This user right determines which users can log on to the computer.
<!-- AllowLocalLogOn-End -->
<!-- AllowLogOnThroughRemoteDesktop-Begin -->
## AllowLogOnThroughRemoteDesktop
<!-- AllowLogOnThroughRemoteDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowLogOnThroughRemoteDesktop-Applicability-End -->
<!-- AllowLogOnThroughRemoteDesktop-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLogOnThroughRemoteDesktop
```
<!-- AllowLogOnThroughRemoteDesktop-OmaUri-End -->
<!-- AllowLogOnThroughRemoteDesktop-Description-Begin -->
<!-- Description-Source-DDF -->
Allow log on through Remote Desktop Services - This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection.
<!-- AllowLogOnThroughRemoteDesktop-Description-End -->
<!-- AllowLogOnThroughRemoteDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowLogOnThroughRemoteDesktop-Editable-End -->
<!-- AllowLogOnThroughRemoteDesktop-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `0xF000`) |
<!-- AllowLogOnThroughRemoteDesktop-DFProperties-End -->
<!-- AllowLogOnThroughRemoteDesktop-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Allow log on through Remote Desktop Services |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
<!-- AllowLogOnThroughRemoteDesktop-GpMapping-End -->
<!-- AllowLogOnThroughRemoteDesktop-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowLogOnThroughRemoteDesktop-Examples-End -->
<!-- AllowLogOnThroughRemoteDesktop-End -->
<!-- BackupFilesAndDirectories-Begin -->
## BackupFilesAndDirectories

6
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/30/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,8 +16,6 @@ ms.topic: reference
<!-- WebThreatDefense-Begin -->
# Policy CSP - WebThreatDefense
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WebThreatDefense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
@ -30,7 +28,7 @@ ms.topic: reference
<!-- AutomaticDataCollection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 23H2 [10.0.22631] and later |
<!-- AutomaticDataCollection-Applicability-End -->
<!-- AutomaticDataCollection-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WindowsAI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/30/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,8 +16,6 @@ ms.topic: reference
<!-- WindowsAI-Begin -->
# Policy CSP - WindowsAI
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End -->
@ -28,7 +26,7 @@ ms.topic: reference
<!-- TurnOffWindowsCopilot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25929.1000] |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2360] and later <br> ✅ Windows 11, version 23H2 [10.0.22631] and later |
<!-- TurnOffWindowsCopilot-Applicability-End -->
<!-- TurnOffWindowsCopilot-OmaUri-Begin -->

105
windows/client-management/mdm/policy-csp-windowssandbox.md
View File

@ -4,7 +4,7 @@ description: Learn more about the WindowsSandbox Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 08/10/2023
ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
<!-- WindowsSandbox-Begin -->
# Policy CSP - WindowsSandbox
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsSandbox-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsSandbox-Editable-End -->
@ -148,6 +150,56 @@ This policy setting enables or disables clipboard sharing with the sandbox.
<!-- AllowClipboardRedirection-End -->
<!-- AllowMappedFolders-Begin -->
## AllowMappedFolders
<!-- AllowMappedFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowMappedFolders-Applicability-End -->
<!-- AllowMappedFolders-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders
```
<!-- AllowMappedFolders-OmaUri-End -->
<!-- AllowMappedFolders-Description-Begin -->
<!-- Description-Source-DDF -->
Allow mapping folders into Windows Sandbox.
<!-- AllowMappedFolders-Description-End -->
<!-- AllowMappedFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowMappedFolders-Editable-End -->
<!-- AllowMappedFolders-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowMappedFolders-DFProperties-End -->
<!-- AllowMappedFolders-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowMappedFolders |
| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
<!-- AllowMappedFolders-GpMapping-End -->
<!-- AllowMappedFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowMappedFolders-Examples-End -->
<!-- AllowMappedFolders-End -->
<!-- AllowNetworking-Begin -->
## AllowNetworking
@ -406,6 +458,57 @@ Note that there may be security implications of exposing host video input to the
<!-- AllowVideoInput-End -->
<!-- AllowWriteToMappedFolders-Begin -->
## AllowWriteToMappedFolders
<!-- AllowWriteToMappedFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowWriteToMappedFolders-Applicability-End -->
<!-- AllowWriteToMappedFolders-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowWriteToMappedFolders
```
<!-- AllowWriteToMappedFolders-OmaUri-End -->
<!-- AllowWriteToMappedFolders-Description-Begin -->
<!-- Description-Source-DDF -->
Allow Sandbox to write to mapped folders.
<!-- AllowWriteToMappedFolders-Description-End -->
<!-- AllowWriteToMappedFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowWriteToMappedFolders-Editable-End -->
<!-- AllowWriteToMappedFolders-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- AllowWriteToMappedFolders-DFProperties-End -->
<!-- AllowWriteToMappedFolders-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowWriteToMappedFolders |
| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
<!-- AllowWriteToMappedFolders-GpMapping-End -->
<!-- AllowWriteToMappedFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowWriteToMappedFolders-Examples-End -->
<!-- AllowWriteToMappedFolders-End -->
<!-- WindowsSandbox-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- WindowsSandbox-CspMoreInfo-End -->

118
windows/client-management/mdm/update-csp.md
View File

@ -8,7 +8,7 @@ ms.topic: reference
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 02/23/2018
ms.date: 11/16/2023
---
# Update CSP
@ -40,7 +40,7 @@ The following example shows the Update configuration service provider in tree fo
----FailedUpdates
--------Failed Update Guid
------------HResult
------------Status
------------State
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
@ -63,136 +63,152 @@ The following example shows the Update configuration service provider in tree fo
```
<a href="" id="update"></a>**./Vendor/MSFT/Update**
<p>The root node.
The root node.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
<p>Node for update approvals and EULA acceptance on behalf of the end-user.
Node for update approvals and EULA acceptance on behalf of the end-user.
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
<p>The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
<p>Supported operations are Get and Add.
Supported operations are Get and Add.
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/_Approved Update Guid_**
<p>Specifies the update GUID.
Specifies the update GUID.
<p>To auto-approve a class of updates, you can specify the <a href="/previous-versions/windows/desktop/ff357803(v=vs.85)" data-raw-source="[Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85))">Update Classifications</a> GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
To auto-approve a class of updates, you can specify the <a href="/previous-versions/windows/desktop/ff357803(v=vs.85)" data-raw-source="[Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85))">Update Classifications</a> GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
<p>Supported operations are Get and Add.
Supported operations are Get and Add.
<p>Sample syncml:
Sample syncml:
```
<LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
```
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
<p>Specifies the time the update gets approved.
Specifies the time the update gets approved.
<p>Supported operations are Get and Add.
Supported operations are Get and Add.
<a href="" id="failedupdates"></a>**FailedUpdates**
<p>Specifies the approved updates that failed to install on a device.
Specifies the approved updates that failed to install on a device.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/_Failed Update Guid_**
<p>Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
<p>The update failure error code.
The update failure error code.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
<p>Specifies the failed update status (for example, download, install).
<a href="" id="failedupdates-failed-update-guid-state"></a>**FailedUpdates/*Failed Update Guid*/State**
Specifies the failed update state.
<p>Supported operation is Get.
| Update Status | Integer Value |
| -------------------------- | ------------- |
| UpdateStatusNewUpdate | 1 |
| UpdateStatusReadyToDownload| 2 |
| UpdateStatusDownloading | 4 |
| UpdateStatusDownloadBlocked| 8 |
| UpdateStatusDownloadFailed | 16 |
| UpdateStatusReadyToInstall | 32 |
| UpdateStatusInstalling | 64 |
| UpdateStatusInstallBlocked | 128 |
| UpdateStatusInstallFailed | 256 |
| UpdateStatusRebootRequired | 512 |
| UpdateStatusUpdateCompleted| 1024 |
| UpdateStatusCommitFailed | 2048 |
| UpdateStatusPostReboot | 4096 |
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-revisionnumber"></a>**FailedUpdates/*Failed Update Guid*/RevisionNumber**
<p>Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="installedupdates"></a>**InstalledUpdates**
<p>The updates that are installed on the device.
The updates that are installed on the device.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/_Installed Update Guid_**
<p>UpdateIDs that represent the updates installed on a device.
UpdateIDs that represent the updates installed on a device.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid-revisionnumber"></a>**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
<p>Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
<p>The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/_Installable Update Guid_**
<p>Update identifiers that represent the updates applicable and not installed on a device.
Update identifiers that represent the updates applicable and not installed on a device.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
<p>The UpdateClassification value of the update. Valid values are:
The UpdateClassification value of the update. Valid values are:
- 0 - None
- 1 - Security
- 2 - Critical
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
<p>The revision number for the update that must be passed in server to server sync to get the metadata for the update.
The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
<p>The updates that require a reboot to complete the update session.
The updates that require a reboot to complete the update session.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/_Pending Reboot Update Guid_**
<p>Update identifiers for the pending reboot state.
Update identifiers for the pending reboot state.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
<p>The time the update is installed.
The time the update is installed.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-revisionnumber"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
<p>Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
<p>The last successful scan time.
The last successful scan time.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="deferupgrade"></a>**DeferUpgrade**
<p>Upgrades deferred until the next period.
Upgrades deferred until the next period.
<p>Supported operation is Get.
Supported operation is Get.
<a href="" id="rollback"></a>**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.

8
windows/configuration/configure-windows-10-taskbar.md
View File

@ -1,18 +1,10 @@
---
title: Configure Windows 10 taskbar
description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: how-to
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.reviewer:
manager: aaroncz
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
---
# Configure Windows 10 taskbar

1
windows/configuration/customize-and-export-start-layout.md
View File

@ -10,7 +10,6 @@ ms.topic: how-to
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
---

7
windows/configuration/customize-start-menu-layout-windows-11.md
View File

@ -1,16 +1,9 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
manager: aaroncz
author: lizgt2000
ms.author: lizlong
ms.reviewer: ericpapa
ms.prod: windows-client
ms.localizationpriority: medium
ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
ms.date: 01/10/2023
ms.topic: article
---

Some files were not shown because too many files have changed in this diff Show More