deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix merge conflict

Browse Source
This commit is contained in:
Meghan Stewart 2024-12-09 11:18:50 -08:00
commit cdf0c39962
257 changed files with 4184 additions and 1990 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
.openpublishing.redirection.windows-security.json
View File

@ -9982,7 +9982,47 @@
},
{
"source_path": "windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
"redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md",
"redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol",
"redirect_document_id": false
},
{
"source_path": "windows/security/application-security/index.md",
"redirect_url": "/windows/security/book/application-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/hardware-security/index.md",
"redirect_url": "/windows/security/book/hardware-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/cloud-services/index.md",
"redirect_url": "/windows/security/book/cloud-services",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/index.md",
"redirect_url": "/windows/security/book/identity-protection",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/index.md",
"redirect_url": "/windows/security/book/operating-system-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/security-foundations/index.md",
"redirect_url": "/windows/security/book/security-foundation",
"redirect_document_id": false
},
{
"source_path": "windows/security/introduction.md",
"redirect_url": "/windows/security/book",
"redirect_document_id": false
},
{
"source_path": "windows/security/security-foundations/zero-trust-windows-device-health.md",
"redirect_url": "/windows/security/book/security-foundation",
"redirect_document_id": false
}
]

2
education/index.yml
View File

@ -8,7 +8,7 @@ metadata:
title: Microsoft 365 Education Documentation
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
ms.topic: hub-page
ms.date: 07/22/2024
ms.date: 12/05/2024
productDirectory:
title: For IT admins

10
education/windows/configure-aad-google-trust.md
View File

@ -1,7 +1,7 @@
---
title: Configure federation between Google Workspace and Microsoft Entra ID
title: Configure Federation Between Google Workspace And Microsoft Entra Id
description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
---
@ -43,10 +43,10 @@ To test federation, the following prerequisites must be met:
1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
:::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later
1. On the **Service provider detail's** page
1. On the **Service provider detail's** page:
- Select the option **Signed response**
- Verify that the Name ID format is set to **PERSISTENT**
- Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\
- Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping\
If using Google autoprovisioning, select **Basic Information > Primary email**
- Select **Continue**
1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
@ -139,4 +139,4 @@ From a private browser session, navigate to https://portal.azure.com and sign in
1. The user is redirected to Google Workspace to sign in
1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in
:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::

4
education/windows/edu-stickers.md
View File

@ -1,7 +1,7 @@
---
title: Configure Stickers for Windows 11 SE
title: Configure Stickers For Windows 11 SE
description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>

4
education/windows/edu-themes.md
View File

@ -1,7 +1,7 @@
---
title: Configure education themes for Windows 11
title: Configure Education Themes For Windows 11
description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

54
education/windows/get-minecraft-for-education.md
View File

@ -1,8 +1,8 @@
---
title: Get and deploy Minecraft Education
title: Deploy Minecraft Education To Windows Devices
description: Learn how to obtain and distribute Minecraft Education to Windows devices.
ms.topic: how-to
ms.date: 04/10/2024
ms.date: 12/5/2024
ms.collection:
- education
- tier2
@ -48,7 +48,7 @@ To purchase direct licenses:
1. Select the quantity of licenses you'd like to purchase and select **Place Order**
1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses)
### Volume licensing
@ -88,14 +88,14 @@ You must be a *Global*, *License*, or *User admin* to assign licenses. For more
1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
1. From the left-hand menu in Microsoft Admin Center, select *Users*
1. From the Users list, select the users you want to add or remove for Minecraft Education access
1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it is not assigned already
> [!Note]
> If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
> If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions
1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
> [!Note]
> If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
@ -118,31 +118,31 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d
1. Select **Next**
1. On the *Review + Create* screen, select **Create**
Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
For more information how to deploy Minecraft Education, see:
For more information how to deploy Minecraft Education, see:
- [Windows installation guide][EDU-6]
- [Chromebook installation guide][EDU-7]
- [iOS installation guide][EDU-8]
- [macOS installation guide][EDU-9]
- [Windows installation guide][EDU-6]
- [Chromebook installation guide][EDU-7]
- [iOS installation guide][EDU-8]
- [macOS installation guide][EDU-9]
If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
<!--links-->
[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
[EDU-3]: https://www.microsoft.com/education/products/office
[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
<!--links-->
[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
[EDU-3]: https://www.microsoft.com/education/products/office
[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
[AKA-1]: https://aka.ms/minecraftedusupport
[AKA-1]: https://aka.ms/minecraftedusupport

4
education/windows/suspcs/provisioning-package.md
View File

@ -1,7 +1,7 @@
---
title: What's in Set up School PCs provisioning package
title: What's In Set up School PCs Provisioning Package
description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: reference
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

22
education/windows/take-tests-in-windows.md
View File

@ -1,7 +1,7 @@
---
title: Take tests and assessments in Windows
description: Learn about the built-in Take a Test app for Windows and how to use it.
ms.date: 02/29/2024
ms.date: 11/11/2024
ms.topic: how-to
---
@ -9,11 +9,11 @@ ms.topic: how-to
Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
- access other applications
- change system settings, such as display extension, notifications, updates
- access Cortana
- access content copied to the clipboard
- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
- Access other applications
- Change system settings, such as display extension, notifications, updates
- Access Cortana
- Access content copied to the clipboard
## How to use Take a Test
@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case:
- For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
- For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
## Create a secure assessment link
@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options:
For this option, copy the assessment URL and open the web application <a href="https://aka.ms/create-a-take-a-test-link" target="_blank"><u>Customize your assessment URL</u></a>, where you can:
- Paste the link to the assessment URL
- Select the options you want to allow during the test
- Generate the link by selecting the button Create link
- Paste the link to the assessment URL.
- Select the options you want to allow during the test.
- Generate the link by selecting the button Create link.
This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet
## Distribute the secure assessment link
Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice.
For example, you can create and copy the shortcut to the assessment URL to the students' desktop.

4
education/windows/tutorial-deploy-apps-winse/considerations.md
View File

@ -1,7 +1,7 @@
---
title: Important considerations before deploying apps with managed installer
title: Important Considerations Before Deploying Apps With Managed Installer For Windows 11 SE
description: Learn about important aspects to consider before deploying apps with managed installer.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -1,7 +1,7 @@
---
title: Create policies to enable applications
title: Create Policies To Enable Applications In Windows 11 SE
description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/deploy-apps.md
View File

@ -1,7 +1,7 @@
---
title: Applications deployment considerations
title: Applications Deployment Considerations In Windows 11 SE
description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/deploy-policies.md
View File

@ -1,7 +1,7 @@
---
title: Deploy policies to enable applications
title: Deploy Policies To Enable Applications In Windows 11 SE
description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/index.md
View File

@ -1,7 +1,7 @@
---
title: Deploy applications to Windows 11 SE with Intune
title: Deploy Applications To Windows 11 SE With Intune
description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -1,7 +1,7 @@
---
title: Troubleshoot app deployment issues in Windows SE
title: Troubleshoot App Deployment Issues In Windows Se
description: Troubleshoot common issues when deploying apps to Windows SE devices.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

4
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -1,7 +1,7 @@
---
title: Validate the applications deployed to Windows SE devices
title: Validate The Applications Deployed To Windows Se Devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune.
ms.date: 04/10/2024
ms.date: 12/02/2024
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>

11
includes/licensing/_edition-requirements.md
View File

@ -1,11 +1,11 @@
---
author: paolomatarazzo
ms.author: paoloma
ms.date: 09/18/2023
ms.date: 11/06/2024
ms.topic: include
---
| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
| Feature name | Windows Pro | Windows Enterprise/IoT Enterprise | Windows Pro Education | Windows Education |
|:---|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
@ -32,7 +32,7 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
|**Windows Hotpatch**|❌|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|

7
includes/licensing/_licensing-requirements.md
View File

@ -5,7 +5,7 @@ ms.date: 11/02/2023
ms.topic: include
---
|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|Feature name|Windows Pro/Pro Education|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---|:---:|:---:|:---:|:---:|:---:|
|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
@ -13,7 +13,7 @@ ms.topic: include
|**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
|**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|Yes|
|**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
@ -53,7 +53,7 @@ ms.topic: include
|**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
|**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
|**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
|**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
|**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
|**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
@ -84,6 +84,7 @@ ms.topic: include
|**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
|**Windows Hotpatch**|❌|Yes|Yes|❌|❌|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|

4
windows/client-management/declared-configuration.md
View File

@ -121,7 +121,7 @@ If the processing of declared configuration document fails, the errors are logge
- If the Document ID doesn't match between the `<LocURI>` and inside DeclaredConfiguration document, Admin event log shows an error message similar to:
`MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-3436249567-4017981746-3373817415-1001), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
`MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-1004336348-1177238915-682003330-1234), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
- Any typo in the OMA-URI results in a failure. In this example, `TrafficFilterList` is specified instead of `TrafficFilterLists`, and Admin event log shows an error message similar to:
@ -129,4 +129,4 @@ If the processing of declared configuration document fails, the errors are logge
There's also another warning message in operational channel:
`MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007)`
`MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007).`

BIN
windows/client-management/images/8908044-recall-search.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 MiB

BIN
windows/client-management/images/8908044-recall.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.6 MiB

181
windows/client-management/manage-recall.md
View File

@ -1,9 +1,9 @@
---
title: Manage Recall for Windows clients
description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
description: Learn how to manage Recall for commercial environments and about Recall features.
ms.topic: how-to
ms.subservice: windows-copilot
ms.date: 06/13/2024
ms.date: 11/22/2024
ms.author: mstewart
author: mestew
ms.collection:
@ -18,72 +18,161 @@ appliesto:
<!--8908044-->
>**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c).
Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
Recall (preview) allows users to search locally saved and locally analyzed snapshots of their screen using natural language. By default, Recall is disabled and removed on managed devices. IT admins can choose if they want to allow Recall to be used in their organizations and users, on their own, won't be able to enable it on their managed device if the Allow Recall policy is disabled. IT admins, on their own, can't start saving snapshots for end users. Recall is an opt-in experience that requires end user consent to save snapshots. Users can choose to enable or disable saving snapshots for themselves anytime. IT admins can only set policies that give users the option to enable saving snapshots and configure certain policies for Recall.
This article provides information about Recall and how to manage it in a commercial environment.
> [!NOTE]
> Recall is coming soon through a post-launch Windows update. See [aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
> - Recall is now available in preview to Copilot+ PCs through the Windows Insider Program. For more information, see [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/).
> - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined.
> - Recall is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
## What is Recall?
:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png":::
Recall (preview) allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
When Recall opens a snapshot you selected, it enables Click to Do, which runs on top of the saved snapshot. Click to Do analyzes what's in the snapshot and allows you to interact with individual elements in the snapshot. For instance, you can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
:::image type="content" border="true" source="images/8908044-recall-search.png" alt-text="Screenshot of Recall with search results displayed for a query for a presentation with a red barn." lightbox="images/8908044-recall-search.png":::
### Recall security and privacy architecture
Privacy and security are built into Recall's design. With Copilot+ PCs, you get powerful AI that runs locally on the device. No internet or cloud connections are required or used to save and analyze snapshots. Snapshots aren't sent to Microsoft. Recall AI processing occurs locally, and snapshots are securely stored on the local device only.
Recall doesn't share snapshots with other users that are signed into Windows on the same device and IT admins can't access or view the snapshots on end-user devices. Microsoft can't access or view the snapshots. Recall requires users to confirm their identity with [Windows Hello](https://support.microsoft.com/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) before it launches and before accessing snapshots. At least one biometric sign-in option must be enabled for Windows Hello, either facial recognition or a fingerprint, to launch and use Recall. Before snapshots start getting saved to the device, users need to open Recall and authenticate. Recall takes advantage of just in time decryption protected by [Hello Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). Snapshots and any associated information in the vector database are always encrypted. Encryption keys are protected via Trusted Platform Module (TPM), which is tied to the user's Windows Hello ESS identity, and can be used by operations within a secure environment called a [Virtualization-based Security Enclave (VBS Enclave)](/windows/win32/trusted-execution/vbs-enclaves). This means that other users can't access these keys and thus can't decrypt this information. Device Encryption or BitLocker are enabled by default on Windows 11. For more information, see [Recall security and privacy architecture in the Windows Experience Blog](https://blogs.windows.com/windowsexperience/?p=179096).
When using Recall, the **Sensitive information filtering** setting is enabled by default to help ensure your data's confidentiality. This feature operates directly on your device, utilizing the NPU and the Microsoft Classification Engine (MCE) - the same technology leveraged by [Microsoft Purview](/purview/purview) for detecting and labeling sensitive information. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the **Sensitive information filtering** setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md).
In keeping with Microsoft's commitment to data privacy and security, all saved images and processed data are kept on the device and processed locally. However, Click to Do allows users to choose if they want to perform additional actions on their content.
Click to Do allows users to choose to get more information about their selected content online. When users choose one of the following Click to Do actions, the selected content is sent to the online provider from the local device to complete the request:
- **Search the web**: Sends the selected content to the default search engine of the default browser
- **Open website**: Opens the selected website in the default browser
- **Visual search with Bing**: Sends the selected content to Bing visual search using the default browser.
When you choose to send info from Click to Do to an app, like Paint, Click to Do will temporarily save this info in order to complete the transfer. Click to Do creates a temporary file in the following location:
- `C:\Users\[username]\AppData\Local\Temp`
Temporary files may also be saved when you choose send feedback. These temporary files aren't saved long term. Click to Do doesn't keep any content from your screen after completing the requested action, but some basic telemetry is gathered to keep Click to Do secure, up to date, and working.
## System requirements
Recall has the following minimum system requirements:
- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs)
Recall has the following minimum requirements:
- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs) that meets the [Secured-core standard](/windows-hardware/design/device-experiences/oem-highly-secure-11)
- 40 TOPs NPU ([neural processing unit](https://support.microsoft.com/windows/all-about-neural-processing-units-npus-e77a5637-7705-4915-96c8-0c6a975f9db4))
- 16 GB RAM
- 8 logical processors
- 256 GB storage capacity
- To enable Recall, you need at least 50 GB of space free
- Snapshot capture automatically pauses once the device has less than 25 GB of disk space
- Saving snapshots automatically pauses once the device has less than 25 GB of storage space
- Users need to enable Device Encryption or BitLocker
- Users need to enroll into [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) with at least one biometric sign-in option enabled in order to authenticate.
## Supported browsers
Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
Users need a supported browser for Recall to [filter websites](#app-and-website-filtering-policies) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
- **Microsoft Edge**: blocks websites and filters private browsing activity
- **Firefox**: blocks websites and filters private browsing activity
- **Opera**: blocks websites and filters private browsing activity
- **Google Chrome**: blocks websites and filters private browsing activity
- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed above, filters private browsing activity only, doesn't block specific websites
- **Microsoft Edge**: filters specified websites and filters private browsing activity
- **Firefox**: filters specified websites and filters private browsing activity
- **Opera**: filtered specified websites and filters private browsing activity
- **Google Chrome**: filters specified websites and filters private browsing activity
- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed, filters private browsing activity only, doesn't filter specific websites
## Configure policies for Recall
Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. The following policy allows you to disable analysis of user content:
By default, Recall is removed on commercially managed devices. If you want to allow Recall to be available for users in your organization and allow them to choose to save snapshots, you need to configure both the **Allow Recall to be enabled** and **Turn off saving snapshots for Windows** policies. Policies for Recall fall into the following general areas:
- [Allow Recall and snapshots policies](#allow-recall-and-snapshots-policies)
- [Storage policies](#storage-policies)
- [App and website filtering policies](#app-and-website-filtering-policies)
### Allow Recall and snapshots policies
The **Allow Recall to be enabled** policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled and removed for managed devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own. If you disable this policy, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart. If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
## Limitations
In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
## User controlled settings for Recall
The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page:
- Website filtering
- App filtering
- Storage allocation
- When the storage limit is reached, the oldest snapshots are deleted first.
- Deleting snapshots
- Delete all snapshots
- Delete snapshots within a specific time frame
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[AllowRecallEnablement](mdm/policy-csp-windowsai.md#allowrecallenablement) |
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Allow Recall to be enabled** |
### Storage allocation
The **Turn off saving snapshots for Windows** policy allows you to give the users the choice to save snapshots of their screen for use with Recall. Administrators can't enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent. By default, snapshots won't be saved for use with Recall. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
| Device storage capacity | Storage allocation options for Recall |
| &nbsp; | Setting |
|---|---|
| 256 GB | 25 GB (default), 10 GB |
| 512 GB | 75 GB (default), 50 GB, 25 GB |
| 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB |
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
### Storage policies
You can define how much disk space Recall can use by using the **Set maximum storage for snapshots used by Recall** policy. You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB. When the storage limit is reached, the oldest snapshots are deleted first. When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity. 25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br> User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** |
You can define how long snapshots can be retained on the device by using the **Set maximum duration for storing snapshots used by Recall** policy. You can configure the maximum storage duration to be 30, 60, 90, or 180 days. If the policy isn't configured, snapshots aren't deleted until the maximum storage allocation is reached, and then the oldest snapshots are deleted first.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum duration for storing snapshots used by Recall** |
### App and website filtering policies
You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some remote desktop connection clients are filtered by default from snapshots. For more information, see the [Remote desktop connection clients filtered from snapshots](#remote-desktop-connection-clients-filtered-from-snapshots) section.
To filter websites from being saved in snapshots, use the **Set a list of URIs to be filtered from snapshots for Recall** policy. Define the list using a semicolon to separate URIs. Make sure you include the URL scheme such as `http://`, `file://`, `https://www.`. Sites local to a supported browser like `edge://`, or `chrome://`, are filtered by default. For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
> [!NOTE]
> - Private browsing activity is filtered by default when using [supported web browsers](#supported-browsers).
> - Be aware that websites are filtered when they are in the foreground or are in the currently opened tab of a supported browser. Parts of filtered websites can still appear in snapshots such as embedded content, the browser's history, or an opened tab that isn't in the foreground.
> - Filtering doesn't prevent browsers, internet service providers (ISPs), websites, organizations, or others from knowing that the website was accessed and building a history.
> - Changes to this policy take effect after device restart.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** |
**Set a list of apps to be filtered from snapshots for Recall** policy allows you to filter apps from being saved in snapshots. Define the list using a semicolon to separate apps. The list can include Application User Model IDs (AUMID) or the name of the executable file. For example: `code.exe;Microsoft. WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
> [!Note]
> - Like other Windows apps, such as the Snipping Tool, Recall won't store digital rights management (DRM) content.
> - Changes to this policy take effect after device restart.
| &nbsp; | Setting |
|---|---|
| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall)|
| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall**|
#### Remote desktop connection clients filtered from snapshots
Snapshots won't be saved when remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots:<!--9119193-->
- [Remote Desktop Connection (mstsc.exe)](/windows-server/administration/windows-commands/mstsc)
- [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect)
- [Microsoft Remote Desktop from the Microsoft Store](/windows-server/remote/remote-desktop-services/clients/windows) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
- [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows)
- [Azure Virtual Desktop apps from the Microsoft Store](/azure/virtual-desktop/users/connect-remote-desktop-client) are saved in snapshots. To prevent these apps from being saved in snapshots, add them to the app filtering list.
- [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) windows
- [Windows App from the Microsoft Store](/windows-app/get-started-connect-devices-desktops-apps) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
## Information for developers
If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this URI, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
## Microsoft's commitment to responsible AI
@ -91,6 +180,10 @@ Microsoft has been on a responsible AI journey since 2017, when we defined our p
Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and control over your Recall experience](https://support.microsoft.com/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15).
## Information for developers
If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
## Related links
- [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai)
- [Update on Recall security and privacy architecture](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/)
- [Retrace your steps with Recall](https://support.microsoft.com/windows/aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c)
- [Privacy and control over your Recall experience](https://support.microsoft.com/windows/d404f672-7647-41e5-886c-a3c59680af15)
- [Click to Do in Recall](https://support.microsoft.com/topic/967304a8-32d1-4812-a904-fad59b5e6abf)
- [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/)

4
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -1,7 +1,7 @@
---
title: AssignedAccess CSP
description: Learn more about the AssignedAccess CSP.
ms.date: 04/10/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -126,7 +126,7 @@ To learn how to configure xml file, see [Create an Assigned Access configuration
<!-- Description-Source-DDF -->
This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`.
Example: `{"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.

8
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -3775,9 +3775,9 @@ Enable this policy to specify when devices receive Microsoft Defender security i
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
| 0 (Default) | Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. |
| 4 | Current Channel (Staged): Same as Current Channel (Broad). |
| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. |
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-AllowedValues-End -->
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Examples-Begin -->

8
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -1627,15 +1627,15 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</MSFT:ValueDescription>
<MSFT:ValueDescription>Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).</MSFT:ValueDescription>
<MSFT:ValueDescription>Current Channel (Staged): Same as Current Channel (Broad).</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</MSFT:ValueDescription>
<MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>

4
windows/client-management/mdm/devdetail-csp.md
View File

@ -1,7 +1,7 @@
---
title: DevDetail CSP
description: Learn more about the DevDetail CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -1259,7 +1259,7 @@ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as de
<!-- Device-SwV-Description-Begin -->
<!-- Description-Source-DDF -->
Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
Returns the Windows 10 OS software version in the format `MajorVersion.MinorVersion.BuildNumber.QFEnumber`. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
<!-- Device-SwV-Description-End -->
<!-- Device-SwV-Editable-Begin -->

10
windows/client-management/mdm/dmclient-csp.md
View File

@ -1,7 +1,7 @@
---
title: DMClient CSP
description: Learn more about the DMClient CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -1654,7 +1654,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@ -1694,7 +1694,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->
@ -4311,7 +4311,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@ -4351,7 +4351,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
<!-- Description-Source-DDF -->
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
<!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->

8
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement CSP
description: Learn more about the EnterpriseModernAppManagement CSP.
ms.date: 09/11/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -6951,7 +6951,7 @@ Interior node for all managed app setting values.
<!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
<!-- Description-Source-DDF -->
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
<!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
<!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@ -8193,7 +8193,7 @@ This node is only supported in the user context.
<!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
<!-- Description-Source-DDF -->
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
<!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
<!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@ -9495,7 +9495,7 @@ This node is only supported in the user context.
<!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
<!-- Description-Source-DDF -->
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
<!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
<!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->

300
windows/client-management/mdm/personaldataencryption-csp.md
View File

@ -1,25 +1,31 @@
---
title: PDE CSP
description: Learn more about the PDE CSP.
ms.date: 01/18/2024
title: Personal Data Encryption CSP
description: Learn more about the Personal Data Encryption CSP.
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
<!-- PDE-Begin -->
# PDE CSP
# Personal Data Encryption CSP
<!-- PDE-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
The Personal Data Encryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
<!-- PDE-Editable-End -->
<!-- PDE-Tree-Begin -->
The following list shows the PDE configuration service provider nodes:
The following list shows the Personal Data Encryption configuration service provider nodes:
- ./User/Vendor/MSFT/PDE
- [EnablePersonalDataEncryption](#enablepersonaldataencryption)
- [ProtectFolders](#protectfolders)
- [ProtectDesktop](#protectfoldersprotectdesktop)
- [ProtectDocuments](#protectfoldersprotectdocuments)
- [ProtectPictures](#protectfoldersprotectpictures)
- [Status](#status)
- [FolderProtectionStatus](#statusfolderprotectionstatus)
- [FoldersProtected](#statusfoldersprotected)
- [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
<!-- PDE-Tree-End -->
@ -45,7 +51,7 @@ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this poli
<!-- User-EnablePersonalDataEncryption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for Personal Data Encryption to be enabled.
<!-- User-EnablePersonalDataEncryption-Editable-End -->
<!-- User-EnablePersonalDataEncryption-DFProperties-Begin -->
@ -72,6 +78,191 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
<!-- User-EnablePersonalDataEncryption-End -->
<!-- User-ProtectFolders-Begin -->
## ProtectFolders
<!-- User-ProtectFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-Applicability-End -->
<!-- User-ProtectFolders-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders
```
<!-- User-ProtectFolders-OmaUri-End -->
<!-- User-ProtectFolders-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- User-ProtectFolders-Description-End -->
<!-- User-ProtectFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-Editable-End -->
<!-- User-ProtectFolders-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- User-ProtectFolders-DFProperties-End -->
<!-- User-ProtectFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-Examples-End -->
<!-- User-ProtectFolders-End -->
<!-- User-ProtectFolders-ProtectDesktop-Begin -->
### ProtectFolders/ProtectDesktop
<!-- User-ProtectFolders-ProtectDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-ProtectDesktop-Applicability-End -->
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
```
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDesktop-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable Personal Data Encryption on Desktop folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDesktop-Description-End -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-End -->
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
| 1 | Enable Personal Data Encryption on the folder. |
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-End -->
<!-- User-ProtectFolders-ProtectDesktop-End -->
<!-- User-ProtectFolders-ProtectDocuments-Begin -->
### ProtectFolders/ProtectDocuments
<!-- User-ProtectFolders-ProtectDocuments-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-ProtectDocuments-Applicability-End -->
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
```
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDocuments-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable Personal Data Encryption on Documents folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDocuments-Description-End -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-End -->
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
| 1 | Enable Personal Data Encryption on the folder. |
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-End -->
<!-- User-ProtectFolders-ProtectDocuments-End -->
<!-- User-ProtectFolders-ProtectPictures-Begin -->
### ProtectFolders/ProtectPictures
<!-- User-ProtectFolders-ProtectPictures-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-ProtectFolders-ProtectPictures-Applicability-End -->
<!-- User-ProtectFolders-ProtectPictures-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
```
<!-- User-ProtectFolders-ProtectPictures-OmaUri-End -->
<!-- User-ProtectFolders-ProtectPictures-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable Personal Data Encryption on Pictures folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectPictures-Description-End -->
<!-- User-ProtectFolders-ProtectPictures-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Editable-End -->
<!-- User-ProtectFolders-ProtectPictures-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- User-ProtectFolders-ProtectPictures-DFProperties-End -->
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
| 1 | Enable Personal Data Encryption on the folder. |
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectPictures-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Examples-End -->
<!-- User-ProtectFolders-ProtectPictures-End -->
<!-- User-Status-Begin -->
## Status
@ -93,10 +284,10 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
<!-- User-Status-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Reports the current status of Personal Data Encryption (PDE) for the user.
Reports the current status of Personal Data Encryption for the user.
- If prerequisites of PDE aren't met, then the status will be 0.
- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
- If prerequisites of Personal Data Encryption aren't met, then the status will be 0.
- If all prerequisites are met for Personal Data Encryption, then Personal Data Encryption will be enabled and status will be 1.
<!-- User-Status-Editable-End -->
<!-- User-Status-DFProperties-Begin -->
@ -114,6 +305,95 @@ Reports the current status of Personal Data Encryption (PDE) for the user.
<!-- User-Status-End -->
<!-- User-Status-FolderProtectionStatus-Begin -->
### Status/FolderProtectionStatus
<!-- User-Status-FolderProtectionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-Status-FolderProtectionStatus-Applicability-End -->
<!-- User-Status-FolderProtectionStatus-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
```
<!-- User-Status-FolderProtectionStatus-OmaUri-End -->
<!-- User-Status-FolderProtectionStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports folder protection status for a user.
<!-- User-Status-FolderProtectionStatus-Description-End -->
<!-- User-Status-FolderProtectionStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Editable-End -->
<!-- User-Status-FolderProtectionStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get |
<!-- User-Status-FolderProtectionStatus-DFProperties-End -->
<!-- User-Status-FolderProtectionStatus-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Protection not started. |
| 1 | Protection is completed with no failures. |
| 2 | Protection in progress. |
| 3 | Protection failed. |
<!-- User-Status-FolderProtectionStatus-AllowedValues-End -->
<!-- User-Status-FolderProtectionStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Examples-End -->
<!-- User-Status-FolderProtectionStatus-End -->
<!-- User-Status-FoldersProtected-Begin -->
### Status/FoldersProtected
<!-- User-Status-FoldersProtected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- User-Status-FoldersProtected-Applicability-End -->
<!-- User-Status-FoldersProtected-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FoldersProtected
```
<!-- User-Status-FoldersProtected-OmaUri-End -->
<!-- User-Status-FoldersProtected-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports all folders (full path to each folder) that have been protected.
<!-- User-Status-FoldersProtected-Description-End -->
<!-- User-Status-FoldersProtected-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Editable-End -->
<!-- User-Status-FoldersProtected-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- User-Status-FoldersProtected-DFProperties-End -->
<!-- User-Status-FoldersProtected-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Examples-End -->
<!-- User-Status-FoldersProtected-End -->
<!-- User-Status-PersonalDataEncryptionStatus-Begin -->
### Status/PersonalDataEncryptionStatus

245
windows/client-management/mdm/personaldataencryption-ddf-file.md
View File

@ -1,14 +1,14 @@
---
title: PDE DDF file
description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
ms.date: 06/28/2024
title: Personal Data Encryption DDF file
description: View the XML file containing the device description framework (DDF) for the Personal Data Encryption configuration service provider.
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
# PDE DDF file
# Personal Data Encryption DDF file
The following XML file contains the device description framework (DDF) for the PDE configuration service provider.
The following XML file contains the device description framework (DDF) for the Personal Data Encryption configuration service provider.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -76,6 +76,171 @@ The following XML file contains the device description framework (DDF) for the P
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectFolders</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>ProtectDocuments</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectDesktop</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectPictures</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
@ -116,6 +281,74 @@ The following XML file contains the device description framework (DDF) for the P
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FolderProtectionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports folder protection status for a user. </Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Protection not started.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Protection is completed with no failures.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Protection in progress.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Protection failed.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>FoldersProtected</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports all folders (full path to each folder) that have been protected.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
@ -123,4 +356,4 @@ The following XML file contains the device description framework (DDF) for the P
## Related articles
[PDE configuration service provider reference](personaldataencryption-csp.md)
[Personal Data Encryption configuration service provider reference](personaldataencryption-csp.md)

4
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -1,7 +1,7 @@
---
title: Policies supported by Windows 10 Team
description: Learn about the policies supported by Windows 10 Team.
ms.date: 11/05/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -382,8 +382,10 @@ This article lists the policies that are applicable for the Surface Hub operatin
## Start
- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
- [StartLayout](policy-csp-start.md#startlayout)
- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
## System

19
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 11/05/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -62,6 +62,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## Display
- [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
- [SetClonePreferredResolutionSource](policy-csp-display.md#setclonepreferredresolutionsource)
## DMClient CSP
@ -106,6 +107,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
- [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
## NewsAndInterests
- [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen)
## PassportForWork CSP
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
@ -118,6 +123,11 @@ This article lists the policies that are applicable for Windows Insider Preview
- [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
## Start
- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
## SurfaceHub CSP
- [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
@ -137,9 +147,14 @@ This article lists the policies that are applicable for Windows Insider Preview
## WindowsAI
- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
- [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
- [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)
- [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement)
## WindowsLicensing CSP

6
windows/client-management/mdm/policy-csp-admx-bits.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Bits Policy CSP
description: Learn more about the ADMX_Bits Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -348,7 +348,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule.
You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
- If you disable or don't configure this policy setting, the limits defined for work or nonwork schedules will be used.
@ -412,7 +412,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
- If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
- If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
<!-- BITS_MaxBandwidthV2_Work-Description-End -->

6
windows/client-management/mdm/policy-csp-admx-controlpanel.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_ControlPanel Policy CSP
description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -36,7 +36,7 @@ This setting allows you to display or hide specified Control Panel items, such a
If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items".
@ -243,7 +243,7 @@ If users try to select a Control Panel item from the Properties item on a contex
<!-- Description-Source-ADMX -->
This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
> [!NOTE]
> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".

4
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_ControlPanelDisplay Policy CSP
description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -519,7 +519,7 @@ Prevents users from changing the background image shown when the machine is lock
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
If you enable this setting, the user won't be able to change their lock screen and logon image, and they will instead see the default image.
If you enable this setting, the user won't be able to change their lock screen and logon image, and they'll instead see the default image.
<!-- CPL_Personalization_NoChangingLockScreen-Description-End -->
<!-- CPL_Personalization_NoChangingLockScreen-Editable-Begin -->

14
windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DiskDiagnostic Policy CSP
description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 08/06/2024
<!-- DfdAlertPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault.
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
@ -97,15 +97,15 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set
<!-- WdiScenarioExecutionPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics.
This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics.
Self-Monitoring And Reporting Technology (S. M. A. R. T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur.
Self-Monitoring And Reporting Technology (S.M.A.R.T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss.
- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken.
- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
- If you don't configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default.
- If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.

6
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_DnsClient Policy CSP
description: Learn more about the ADMX_DnsClient Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -602,11 +602,11 @@ You can use this policy setting to prevent users, including local administrators
<!-- Description-Source-ADMX -->
Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: `mycomputer.microsoft.com`.
- If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for `mycomputer.VPNconnection` and `mycomputer.microsoft.com` when this policy setting is enabled.
> [!IMPORTANT]
> This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.

2
windows/client-management/mdm/policy-csp-admx-explorer.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Explorer Policy CSP
description: Learn more about the ADMX_Explorer Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->

4
windows/client-management/mdm/policy-csp-admx-filerevocation.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_FileRevocation Policy CSP
description: Learn more about the ADMX_FileRevocation Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -36,7 +36,7 @@ Windows Runtime applications can protect content which has been associated with
Example value:
Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy.
`Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy`
- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.

4
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_FileSys Policy CSP
description: Learn more about the ADMX_FileSys Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -317,7 +317,7 @@ Enabling Win32 long paths will allow manifested win32 applications and packaged
<!-- Description-Source-ADMX -->
These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they'll never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
<!-- ShortNameCreationSettings-Description-End -->
<!-- ShortNameCreationSettings-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-admx-globalization.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Globalization Policy CSP
description: Learn more about the ADMX_Globalization Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -638,7 +638,7 @@ This policy setting is related to the "Turn off handwriting personalization" pol
<!-- LocaleSystemRestrict-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list.
The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
@ -1097,7 +1097,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
@ -1166,7 +1166,7 @@ This policy setting prevents the user from customizing their locale by changing
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.

8
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_MicrosoftDefenderAntivirus Policy CSP
description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -2938,7 +2938,7 @@ This policy setting allows you to manage whether or not end users can pause a sc
<!-- Scan_ArchiveMaxDepth-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0.
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
- If you enable this setting, archive files will be scanned to the directory depth level specified.
@ -2997,7 +2997,7 @@ This policy setting allows you to configure the maximum directory depth level in
<!-- Scan_ArchiveMaxSize-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
- If you enable this setting, archive files less than or equal to the size specified will be scanned.
@ -3056,7 +3056,7 @@ This policy setting allows you to configure the maximum size of archive files su
<!-- Scan_DisableArchiveScanning-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.

6
windows/client-management/mdm/policy-csp-admx-offlinefiles.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_OfflineFiles Policy CSP
description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -352,7 +352,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s
<!-- Description-Source-ADMX -->
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
@ -413,7 +413,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!-- Description-Source-ADMX -->
Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.

4
windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_UserExperienceVirtualization Policy CSP
description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -7541,7 +7541,7 @@ This policy setting configures where custom settings location templates are stor
- If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored.
If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they'll be ignored.
If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used.

4
windows/client-management/mdm/policy-csp-admx-userprofiles.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_UserProfiles Policy CSP
description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -157,7 +157,7 @@ This policy setting controls whether Windows forcefully unloads the user's regis
<!-- Description-Source-ADMX -->
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
- If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.

4
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WindowsExplorer Policy CSP
description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -4468,7 +4468,7 @@ Shows or hides sleep from the power options menu.
<!-- TryHarderPinnedLibrary-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file.
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the `.Library-ms or .searchConnector-ms` file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified `.Library-ms or .searchConnector-ms` file.
You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.

6
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationManagement Policy CSP
description: Learn more about the ApplicationManagement Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -371,7 +371,7 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st
<!-- Description-Source-ADMX -->
Manages a Windows app's ability to share data between users who have installed the app.
- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API.
- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the `Windows.Storage` API.
- If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder.
<!-- AllowSharedUserAppData-Description-End -->
@ -867,7 +867,7 @@ This policy setting directs Windows Installer to use elevated permissions when i
<!-- Description-Source-ADMX -->
Denies access to the retail catalog in the Microsoft Store, but displays the private store.
- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store.
- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they'll be able to view apps in the private store.
- If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store.
<!-- RequirePrivateStoreOnly-Description-End -->

4
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -1,7 +1,7 @@
---
title: AttachmentManager Policy CSP
description: Learn more about the AttachmentManager Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -154,7 +154,7 @@ This policy setting allows you to manage whether users can manually remove the z
<!-- NotifyAntivirusPrograms-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
- If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.

8
windows/client-management/mdm/policy-csp-bits.md
View File

@ -1,7 +1,7 @@
---
title: BITS Policy CSP
description: Learn more about the BITS Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 01/18/2024
<!-- Description-Source-ADMX -->
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@ -98,7 +98,7 @@ Consider using this setting to prevent BITS transfers from competing for network
<!-- Description-Source-ADMX -->
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@ -164,7 +164,7 @@ Consider using this setting to prevent BITS transfers from competing for network
<!-- Description-Source-ADMX -->
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.

2
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md).
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -1,7 +1,7 @@
---
title: Defender Policy CSP
description: Learn more about the Defender Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -30,7 +30,7 @@ ms.date: 09/27/2024
<!-- AllowArchiveScanning-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
- If you enable or don't configure this setting, archive files will be scanned.

66
windows/client-management/mdm/policy-csp-display.md
View File

@ -1,7 +1,7 @@
---
title: Display Policy CSP
description: Learn more about the Display Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 11/05/2024
<!-- ConfigureMultipleDisplayMode-Description-Begin -->
<!-- Description-Source-DDF -->
This policy set the default display to set the arrangement between cloning or extending.
This policy sets the default display arrangement to pick between clone or extend.
<!-- ConfigureMultipleDisplayMode-Description-End -->
<!-- ConfigureMultipleDisplayMode-Editable-Begin -->
@ -66,7 +66,7 @@ This policy set the default display to set the arrangement between cloning or ex
|:--|:--|
| Name | ConfigureMultipleDisplayMode |
| Path | Display > AT > System > DisplayCat |
| Element Name | ConfigureMultipleDisplayModePrompt |
| Element Name | DisplayConfigureMultipleDisplayModeSettings |
<!-- ConfigureMultipleDisplayMode-GpMapping-End -->
<!-- ConfigureMultipleDisplayMode-Examples-Begin -->
@ -298,6 +298,66 @@ Enabling this setting lets you specify the system-wide default for desktop appli
<!-- EnablePerProcessDpiForApps-End -->
<!-- SetClonePreferredResolutionSource-Begin -->
## SetClonePreferredResolutionSource
<!-- SetClonePreferredResolutionSource-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetClonePreferredResolutionSource-Applicability-End -->
<!-- SetClonePreferredResolutionSource-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Display/SetClonePreferredResolutionSource
```
<!-- SetClonePreferredResolutionSource-OmaUri-End -->
<!-- SetClonePreferredResolutionSource-Description-Begin -->
<!-- Description-Source-DDF -->
This policy sets the cloned monitor preferred resolution source to an internal or external monitor by default.
<!-- SetClonePreferredResolutionSource-Description-End -->
<!-- SetClonePreferredResolutionSource-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetClonePreferredResolutionSource-Editable-End -->
<!-- SetClonePreferredResolutionSource-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- SetClonePreferredResolutionSource-DFProperties-End -->
<!-- SetClonePreferredResolutionSource-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Default. |
| 1 (Default) | Internal. |
| 2 | External. |
<!-- SetClonePreferredResolutionSource-AllowedValues-End -->
<!-- SetClonePreferredResolutionSource-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetClonePreferredResolutionSource |
| Path | Display > AT > System > DisplayCat |
| Element Name | DisplaySetClonePreferredResolutionSourceSettings |
<!-- SetClonePreferredResolutionSource-GpMapping-End -->
<!-- SetClonePreferredResolutionSource-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetClonePreferredResolutionSource-Examples-End -->
<!-- SetClonePreferredResolutionSource-End -->
<!-- TurnOffGdiDPIScalingForApps-Begin -->
## TurnOffGdiDPIScalingForApps

34
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -1,7 +1,7 @@
---
title: InternetExplorer Policy CSP
description: Learn more about the InternetExplorer Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -2472,11 +2472,11 @@ This policy setting determines whether Internet Explorer requires that all file-
<!-- DisableActiveXVersionListAutoDownload-Description-Begin -->
<!-- Description-Source-ADMX -->
This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
- If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.
- If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML.
For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
<!-- DisableActiveXVersionListAutoDownload-Description-End -->
@ -4429,7 +4429,7 @@ This policy setting allows you to manage a list of domains on which Internet Exp
- If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
2. "hostname". For example, if you want to include https://example, use "example".
3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".
@ -5272,7 +5272,7 @@ This policy setting allows you to manage the loading of Extensible Application M
<!-- InternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -6825,7 +6825,7 @@ This policy setting allows you to manage the opening of windows and frames and a
<!-- InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@ -7337,7 +7337,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- IntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -8410,7 +8410,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -9325,7 +9325,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownInternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -10174,7 +10174,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownIntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -10883,7 +10883,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -11662,7 +11662,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -12441,7 +12441,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -14307,7 +14307,7 @@ This policy setting allows you to manage whether a user's browser can be redirec
<!-- RestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -15862,7 +15862,7 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t
<!-- RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@ -16981,7 +16981,7 @@ This policy setting allows you to manage whether Web sites from less privileged
<!-- TrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

4
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -1,7 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
ms.date: 09/11/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -139,7 +139,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us
<!-- AllowLaunchUriInSingleAppKiosk-Description-Begin -->
<!-- Description-Source-DDF -->
By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
By default, launching applications via Launcher API is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
<!-- AllowLaunchUriInSingleAppKiosk-Description-End -->
<!-- AllowLaunchUriInSingleAppKiosk-Editable-Begin -->

62
windows/client-management/mdm/policy-csp-newsandinterests.md
View File

@ -1,7 +1,7 @@
---
title: NewsAndInterests Policy CSP
description: Learn more about the NewsAndInterests Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- NewsAndInterests-Begin -->
# Policy CSP - NewsAndInterests
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- NewsAndInterests-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NewsAndInterests-Editable-End -->
@ -82,6 +84,64 @@ This policy applies to the entire widgets experience, including content on the t
<!-- AllowNewsAndInterests-End -->
<!-- DisableWidgetsOnLockScreen-Begin -->
## DisableWidgetsOnLockScreen
<!-- DisableWidgetsOnLockScreen-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableWidgetsOnLockScreen-Applicability-End -->
<!-- DisableWidgetsOnLockScreen-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsOnLockScreen
```
<!-- DisableWidgetsOnLockScreen-OmaUri-End -->
<!-- DisableWidgetsOnLockScreen-Description-Begin -->
<!-- Description-Source-DDF -->
Disable widgets on lock screen.
<!-- DisableWidgetsOnLockScreen-Description-End -->
<!-- DisableWidgetsOnLockScreen-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableWidgetsOnLockScreen-Editable-End -->
<!-- DisableWidgetsOnLockScreen-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableWidgetsOnLockScreen-DFProperties-End -->
<!-- DisableWidgetsOnLockScreen-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enabled. |
| 1 | Disabled. |
<!-- DisableWidgetsOnLockScreen-AllowedValues-End -->
<!-- DisableWidgetsOnLockScreen-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableWidgetsOnLockScreen |
| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
<!-- DisableWidgetsOnLockScreen-GpMapping-End -->
<!-- DisableWidgetsOnLockScreen-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableWidgetsOnLockScreen-Examples-End -->
<!-- DisableWidgetsOnLockScreen-End -->
<!-- NewsAndInterests-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- NewsAndInterests-CspMoreInfo-End -->

2
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -1,7 +1,7 @@
---
title: RemoteDesktopServices Policy CSP
description: Learn more about the RemoteDesktopServices Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->

6
windows/client-management/mdm/policy-csp-remoteprocedurecall.md
View File

@ -1,7 +1,7 @@
---
title: RemoteProcedureCall Policy CSP
description: Learn more about the RemoteProcedureCall Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -105,11 +105,11 @@ This policy setting impacts all RPC applications. In a domain environment this p
<!-- Description-Source-ADMX -->
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
> [!NOTE]
> This policy won't be applied until the system is rebooted.

118
windows/client-management/mdm/policy-csp-start.md
View File

@ -1,7 +1,7 @@
---
title: Start Policy CSP
description: Learn more about the Start Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 08/06/2024
<!-- Start-Begin -->
# Policy CSP - Start
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Start-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Start-Editable-End -->
@ -513,6 +515,63 @@ This policy controls the visibility of the Videos shortcut on the Start menu. Th
<!-- AllowPinnedFolderVideos-End -->
<!-- AlwaysShowNotificationIcon-Begin -->
## AlwaysShowNotificationIcon
<!-- AlwaysShowNotificationIcon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AlwaysShowNotificationIcon-Applicability-End -->
<!-- AlwaysShowNotificationIcon-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Start/AlwaysShowNotificationIcon
```
<!-- AlwaysShowNotificationIcon-OmaUri-End -->
<!-- AlwaysShowNotificationIcon-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- AlwaysShowNotificationIcon-Description-End -->
<!-- AlwaysShowNotificationIcon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AlwaysShowNotificationIcon-Editable-End -->
<!-- AlwaysShowNotificationIcon-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AlwaysShowNotificationIcon-DFProperties-End -->
<!-- AlwaysShowNotificationIcon-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Auto-hide notification bell icon. |
| 1 | Show notification bell icon. |
<!-- AlwaysShowNotificationIcon-AllowedValues-End -->
<!-- AlwaysShowNotificationIcon-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AlwaysShowNotificationIcon |
| Path | Taskbar > AT > StartMenu |
<!-- AlwaysShowNotificationIcon-GpMapping-End -->
<!-- AlwaysShowNotificationIcon-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AlwaysShowNotificationIcon-Examples-End -->
<!-- AlwaysShowNotificationIcon-End -->
<!-- ConfigureStartPins-Begin -->
## ConfigureStartPins
@ -2247,6 +2306,63 @@ For more information on how to customize the Start layout, see [Customize the St
<!-- StartLayout-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Begin -->
## TurnOffAbbreviatedDateTimeFormat
<!-- TurnOffAbbreviatedDateTimeFormat-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- TurnOffAbbreviatedDateTimeFormat-Applicability-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Start/TurnOffAbbreviatedDateTimeFormat
```
<!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- TurnOffAbbreviatedDateTimeFormat-Description-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffAbbreviatedDateTimeFormat-Editable-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Show abbreviated time and date format. |
| 1 | Show classic time and date format. |
<!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | TurnOffAbbreviatedDateTimeFormat |
| Path | Taskbar > AT > StartMenu |
<!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffAbbreviatedDateTimeFormat-Examples-End -->
<!-- TurnOffAbbreviatedDateTimeFormat-End -->
<!-- Start-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Start-CspMoreInfo-End -->

4
windows/client-management/mdm/policy-csp-sudo.md
View File

@ -1,7 +1,7 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -19,7 +19,7 @@ ms.date: 09/27/2024
<!-- EnableSudo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- EnableSudo-Applicability-End -->
<!-- EnableSudo-OmaUri-Begin -->

8
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -2522,7 +2522,7 @@ Minimum number of days from update installation until restarts occur automatical
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
@ -2601,7 +2601,7 @@ This policy will override the following policies:
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
<!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
@ -3237,7 +3237,7 @@ These policies are not exclusive and can be used in any combination. Together wi
<!-- ScheduledInstallTime-Description-Begin -->
<!-- Description-Source-DDF -->
the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
Enables the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
<!-- ScheduledInstallTime-Description-End -->
<!-- ScheduledInstallTime-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -1,7 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->
@ -308,7 +308,7 @@ This policy setting determines whether Enhanced Phishing Protection in Microsoft
- If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
- If you don't configure this setting, users can decide whether or not they'll enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
<!-- ServiceEnabled-Description-End -->
<!-- ServiceEnabled-Editable-Begin -->

449
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -15,28 +15,103 @@ ms.date: 11/05/2024
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End -->
<!-- AllowRecallEnablement-Begin -->
## AllowRecallEnablement
<!-- AllowRecallEnablement-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowRecallEnablement-Applicability-End -->
<!-- AllowRecallEnablement-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement
```
<!-- AllowRecallEnablement-OmaUri-End -->
<!-- AllowRecallEnablement-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled for managed commercial devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own.
- If this policy isn't configured, end users will have the Recall component in a disabled state.
- If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart.
- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
<!-- AllowRecallEnablement-Description-End -->
<!-- AllowRecallEnablement-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowRecallEnablement-Editable-End -->
<!-- AllowRecallEnablement-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- AllowRecallEnablement-DFProperties-End -->
<!-- AllowRecallEnablement-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Recall isn't available. |
| 1 (Default) | Recall is available. |
<!-- AllowRecallEnablement-AllowedValues-End -->
<!-- AllowRecallEnablement-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowRecallEnablement |
| Friendly Name | Allow Recall to be enabled |
| Location | Computer Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | AllowRecallEnablement |
| ADMX File Name | WindowsCopilot.admx |
<!-- AllowRecallEnablement-GpMapping-End -->
<!-- AllowRecallEnablement-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowRecallEnablement-Examples-End -->
<!-- AllowRecallEnablement-End -->
<!-- DisableAIDataAnalysis-Begin -->
## DisableAIDataAnalysis
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
This policy setting allows you to determine whether snapshots of the screen can be saved for use with Recall. By default, snapshots for Recall aren't enabled. IT administrators can't, on their own, enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent.
- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
- If the policy isn't configured, snapshots won't be saved for use with Recall.
- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
- If you enable this policy, snapshots won't be saved for use with Recall. If snapshots were previously saved on the device, they'll be deleted when this policy is enabled.
If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
@ -68,8 +143,8 @@ This policy setting allows you to control whether Windows saves snapshots of the
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Friendly Name | Turn off Saving Snapshots for Windows |
| Location | User Configuration |
| Friendly Name | Turn off saving snapshots for use with Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | DisableAIDataAnalysis |
@ -144,6 +219,68 @@ This policy setting allows you to control whether Cocreator functionality is dis
<!-- DisableCocreator-End -->
<!-- DisableGenerativeFill-Begin -->
## DisableGenerativeFill
<!-- DisableGenerativeFill-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableGenerativeFill-Applicability-End -->
<!-- DisableGenerativeFill-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableGenerativeFill
```
<!-- DisableGenerativeFill-OmaUri-End -->
<!-- DisableGenerativeFill-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to control whether generative fill functionality is disabled in the Windows Paint app.
- If this policy is enabled, generative fill functionality won't be accessible in the Paint app.
- If this policy is disabled or not configured, users will be able to access generative fill functionality.
<!-- DisableGenerativeFill-Description-End -->
<!-- DisableGenerativeFill-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableGenerativeFill-Editable-End -->
<!-- DisableGenerativeFill-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableGenerativeFill-DFProperties-End -->
<!-- DisableGenerativeFill-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Generative fill is enabled. |
| 1 | Generative fill is disabled. |
<!-- DisableGenerativeFill-AllowedValues-End -->
<!-- DisableGenerativeFill-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableGenerativeFill |
| Path | WindowsAI > AT > WindowsComponents > Paint |
<!-- DisableGenerativeFill-GpMapping-End -->
<!-- DisableGenerativeFill-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableGenerativeFill-Examples-End -->
<!-- DisableGenerativeFill-End -->
<!-- DisableImageCreator-Begin -->
## DisableImageCreator
@ -212,7 +349,7 @@ This policy setting allows you to control whether Image Creator functionality is
<!-- SetCopilotHardwareKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5044380](https://support.microsoft.com/help/5044380) [10.0.22621.4391] and later |
<!-- SetCopilotHardwareKey-Applicability-End -->
<!-- SetCopilotHardwareKey-OmaUri-Begin -->
@ -222,7 +359,7 @@ This policy setting allows you to control whether Image Creator functionality is
<!-- SetCopilotHardwareKey-OmaUri-End -->
<!-- SetCopilotHardwareKey-Description-Begin -->
<!-- Description-Source-DDF -->
<!-- Description-Source-ADMX -->
This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
- If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
@ -249,7 +386,11 @@ This policy setting determines which app opens when the user presses the Copilot
| Name | Value |
|:--|:--|
| Name | SetCopilotHardwareKey |
| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
| Friendly Name | Set Copilot Hardware Key |
| Location | User Configuration |
| Path | Windows Components > Windows Copilot |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CopilotKey |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetCopilotHardwareKey-GpMapping-End -->
<!-- SetCopilotHardwareKey-Examples-Begin -->
@ -258,6 +399,294 @@ This policy setting determines which app opens when the user presses the Copilot
<!-- SetCopilotHardwareKey-End -->
<!-- SetDenyAppListForRecall-Begin -->
## SetDenyAppListForRecall
<!-- SetDenyAppListForRecall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetDenyAppListForRecall-Applicability-End -->
<!-- SetDenyAppListForRecall-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
```
<!-- SetDenyAppListForRecall-OmaUri-End -->
<!-- SetDenyAppListForRecall-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to define a list of apps that won't be included in snapshots for Recall.
Users will be able to add additional applications to exclude from snapshots using Recall settings.
The list can include Application User Model IDs (AUMID) or name of the executable file.
Use a semicolon-separated list of apps to define the deny app list for Recall.
For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
> [!IMPORTANT]
> When configuring this policy setting, changes won't take effect until the device restarts.
<!-- SetDenyAppListForRecall-Description-End -->
<!-- SetDenyAppListForRecall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetDenyAppListForRecall-Editable-End -->
<!-- SetDenyAppListForRecall-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- SetDenyAppListForRecall-DFProperties-End -->
<!-- SetDenyAppListForRecall-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetDenyAppListForRecall |
| Friendly Name | Set a list of apps to be filtered from snapshots for Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetDenyAppListForRecall |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetDenyAppListForRecall-GpMapping-End -->
<!-- SetDenyAppListForRecall-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetDenyAppListForRecall-Examples-End -->
<!-- SetDenyAppListForRecall-End -->
<!-- SetDenyUriListForRecall-Begin -->
## SetDenyUriListForRecall
<!-- SetDenyUriListForRecall-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetDenyUriListForRecall-Applicability-End -->
<!-- SetDenyUriListForRecall-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
```
<!-- SetDenyUriListForRecall-OmaUri-End -->
<!-- SetDenyUriListForRecall-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs.
For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`.
> [!IMPORTANT]
> Changes to this policy take effect after device restart.
<!-- SetDenyUriListForRecall-Description-End -->
<!-- SetDenyUriListForRecall-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetDenyUriListForRecall-Editable-End -->
<!-- SetDenyUriListForRecall-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- SetDenyUriListForRecall-DFProperties-End -->
<!-- SetDenyUriListForRecall-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetDenyUriListForRecall |
| Friendly Name | Set a list of URIs to be filtered from snapshots for Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetDenyUriListForRecall |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetDenyUriListForRecall-GpMapping-End -->
<!-- SetDenyUriListForRecall-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetDenyUriListForRecall-Examples-End -->
<!-- SetDenyUriListForRecall-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Begin -->
## SetMaximumStorageDurationForRecallSnapshots
<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
```
<!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control the maximum amount of time (in days) that Windows saves snapshots for Recall.
When the policy is enabled, you can configure the maximum storage duration to be 30, 60, 90, or 180 days.
When this policy isn't configured, a time frame isn't set for deleting snapshots.
Snapshots aren't deleted until the maximum storage allocation for Recall is reached, and then the oldest snapshots are deleted first.
<!-- SetMaximumStorageDurationForRecallSnapshots-Description-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Editable-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Let the OS define the maximum amount of time the snapshots will be saved. |
| 30 | 30 days. |
| 60 | 60 days. |
| 90 | 90 days. |
| 180 | 180 days. |
<!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetMaximumStorageDurationForRecallSnapshots |
| Friendly Name | Set maximum duration for storing snapshots used by Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetMaximumStorageDurationForRecallSnapshots |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetMaximumStorageDurationForRecallSnapshots-Examples-End -->
<!-- SetMaximumStorageDurationForRecallSnapshots-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Begin -->
## SetMaximumStorageSpaceForRecallSnapshots
<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
```
```Device
./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
```
<!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to control the maximum amount of disk space that can be used by Windows to save snapshots for Recall.
You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB.
When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity.
25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
<!-- SetMaximumStorageSpaceForRecallSnapshots-Description-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Let the OS define the maximum storage amount based on hard drive storage size. |
| 10000 | 10GB. |
| 25000 | 25GB. |
| 50000 | 50GB. |
| 75000 | 75GB. |
| 100000 | 100GB. |
| 150000 | 150GB. |
<!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | SetMaximumStorageSpaceForRecallSnapshots |
| Friendly Name | Set maximum storage for snapshots used by Recall |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows AI |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
| Registry Value Name | SetMaximumStorageSpaceForRecallSnapshots |
| ADMX File Name | WindowsCopilot.admx |
<!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-End -->
<!-- SetMaximumStorageSpaceForRecallSnapshots-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot

2
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -1,7 +1,7 @@
---
title: WindowsLogon Policy CSP
description: Learn more about the WindowsLogon Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/26/2024
---
<!-- Auto-Generated CSP Document -->

94
windows/client-management/mdm/policy-csp-windowssandbox.md
View File

@ -1,7 +1,7 @@
---
title: WindowsSandbox Policy CSP
description: Learn more about the WindowsSandbox Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -19,7 +19,7 @@ ms.date: 09/27/2024
<!-- AllowAudioInput-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowAudioInput-Applicability-End -->
<!-- AllowAudioInput-OmaUri-Begin -->
@ -54,10 +54,18 @@ Note that there may be security implications of exposing host audio input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowAudioInput-DFProperties-End -->
<!-- AllowAudioInput-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowAudioInput-AllowedValues-End -->
<!-- AllowAudioInput-GpMapping-Begin -->
**Group policy mapping**:
@ -84,7 +92,7 @@ Note that there may be security implications of exposing host audio input to the
<!-- AllowClipboardRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowClipboardRedirection-Applicability-End -->
<!-- AllowClipboardRedirection-OmaUri-Begin -->
@ -117,10 +125,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowClipboardRedirection-DFProperties-End -->
<!-- AllowClipboardRedirection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowClipboardRedirection-AllowedValues-End -->
<!-- AllowClipboardRedirection-GpMapping-Begin -->
**Group policy mapping**:
@ -182,10 +198,18 @@ Note that there may be security implications of exposing folders from the host i
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowMappedFolders-DFProperties-End -->
<!-- AllowMappedFolders-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowMappedFolders-AllowedValues-End -->
<!-- AllowMappedFolders-GpMapping-Begin -->
**Group policy mapping**:
@ -212,7 +236,7 @@ Note that there may be security implications of exposing folders from the host i
<!-- AllowNetworking-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowNetworking-Applicability-End -->
<!-- AllowNetworking-OmaUri-Begin -->
@ -247,10 +271,18 @@ Note that enabling networking can expose untrusted applications to the internal
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowNetworking-DFProperties-End -->
<!-- AllowNetworking-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowNetworking-AllowedValues-End -->
<!-- AllowNetworking-GpMapping-Begin -->
**Group policy mapping**:
@ -277,7 +309,7 @@ Note that enabling networking can expose untrusted applications to the internal
<!-- AllowPrinterRedirection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowPrinterRedirection-Applicability-End -->
<!-- AllowPrinterRedirection-OmaUri-Begin -->
@ -310,10 +342,18 @@ This policy setting enables or disables printer sharing from the host into the S
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowPrinterRedirection-DFProperties-End -->
<!-- AllowPrinterRedirection-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowPrinterRedirection-AllowedValues-End -->
<!-- AllowPrinterRedirection-GpMapping-Begin -->
**Group policy mapping**:
@ -340,7 +380,7 @@ This policy setting enables or disables printer sharing from the host into the S
<!-- AllowVGPU-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowVGPU-Applicability-End -->
<!-- AllowVGPU-OmaUri-Begin -->
@ -375,10 +415,18 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowVGPU-DFProperties-End -->
<!-- AllowVGPU-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowVGPU-AllowedValues-End -->
<!-- AllowVGPU-GpMapping-Begin -->
**Group policy mapping**:
@ -405,7 +453,7 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
<!-- AllowVideoInput-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowVideoInput-Applicability-End -->
<!-- AllowVideoInput-OmaUri-Begin -->
@ -440,10 +488,18 @@ Note that there may be security implications of exposing host video input to the
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
<!-- AllowVideoInput-DFProperties-End -->
<!-- AllowVideoInput-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowVideoInput-AllowedValues-End -->
<!-- AllowVideoInput-GpMapping-Begin -->
**Group policy mapping**:
@ -505,11 +561,19 @@ Note that there may be security implications of exposing folders from the host i
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-1]` |
| Default Value | 1 |
| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- AllowWriteToMappedFolders-DFProperties-End -->
<!-- AllowWriteToMappedFolders-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
<!-- AllowWriteToMappedFolders-AllowedValues-End -->
<!-- AllowWriteToMappedFolders-GpMapping-Begin -->
**Group policy mapping**:

4
windows/client-management/mdm/supl-csp.md
View File

@ -1,7 +1,7 @@
---
title: SUPL CSP
description: Learn more about the SUPL CSP.
ms.date: 01/18/2024
ms.date: 11/27/2024
---
<!-- Auto-Generated CSP Document -->
@ -289,7 +289,7 @@ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-on
<!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-Begin -->
<!-- Description-Source-DDF -->
Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
Optional. Determines the full version (`X.Y.Z` where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
<!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-End -->
<!-- Device-SUPL1-Ext-Microsoft-FullVersion-Editable-Begin -->

4
windows/client-management/mdm/toc.yml
View File

@ -837,10 +837,10 @@ items:
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
- name: PDE
- name: Personal Data Encryption
href: personaldataencryption-csp.md
items:
- name: PDE DDF file
- name: Personal Data Encryption DDF file
href: personaldataencryption-ddf-file.md
- name: Personalization
href: personalization-csp.md

190
windows/client-management/recall-sensitive-information-filtering.md Normal file
View File

@ -0,0 +1,190 @@
---
title: Sensitive information filtering in Recall
description: Learn about the types of potentially sensitive information Recall detects.
ms.topic: reference
ms.subservice: windows-copilot
ms.date: 11/22/2024
ms.author: mstewart
author: mestew
ms.collection:
- windows-copilot
- magic-ai-copilot
appliesto:
- ✅ <a href="https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs" target="_blank">Copilot+ PCs</a>
---
# Reference for sensitive information filtering in Recall
This article provides information about the types of potentially sensitive information that [Recall](manage-recall.md) detects when the **Sensitive Information Filtering** setting is enabled.
## Types of potentially sensitive information
Types of potentially sensitive information that Recall detects and filters include:
ABA Routing Number </br>
Argentina National Identity (DNI) Number </br>
Argentina Unique Tax Identification Key (CUIT/CUIL) </br>
Australia Bank Account Number </br>
Australia Drivers License Number </br>
Australia Tax File Number </br>
Austria Driver's License Number </br>
Austria Identity Card </br>
Austria Social Security Number </br>
Austria Tax Identification Number </br>
Austria Value Added Tax </br>
Azure Document DB Auth Key </br>
Azure IAAS Database Connection String and Azure SQL Connection String </br>
Azure IoT Connection String </br>
Azure Redis Cache Connection String </br>
Azure SAS </br>
Azure Secrets (Generic) </br>
Azure Service Bus Connection String </br>
Azure Storage Account Key </br>
Belgium Driver's License Number </br>
Belgium National Number </br>
Belgium Value Added Tax Number </br>
Brazil CPF Number </br>
Brazil Legal Entity Number (CNPJ) </br>
Brazil National ID Card (RG) </br>
Bulgaria Driver's License Number </br>
Bulgaria Uniform Civil Number </br>
Canada Bank Account Number </br>
Canada Driver's License Number </br>
Canada Social Insurance Number </br>
Chile Identity Card Number </br>
China Resident Identity Card (PRC) Number </br>
Colombia National ID </br>
Credit Card Number </br>
Croatia Driver's License Number </br>
Croatia Identity Card Number </br>
Croatia Personal Identification (OIB) Number </br>
Cyprus Driver's License Number </br>
Cyprus Identity Card </br>
Cyprus Tax Identification Number </br>
Czech Driver's License Number </br>
Czech Personal Identity Number </br>
DEA Number </br>
Denmark Driver's License Number </br>
Denmark Personal Identification Number </br>
Ecuador Unique Identification Number </br>
Estonia Driver's License Number </br>
Estonia Personal Identification Code </br>
EU Debit Card Number </br>
EU Driver's License Number </br>
EU National Id Card </br>
EU SSN or Equivalent Number </br>
EU Tax File Number </br>
Finland Driver's License Number </br>
Finnish National ID </br>
France CNI </br>
France Driver's License Number </br>
France INSEE </br>
France Tax Identification Number (numéro SPI.) </br>
France Value Added Tax Number </br>
General Password </br>
German Driver's License Number </br>
Germany Identity Card Number </br>
Germany Tax Identification Number </br>
Germany Value Added Tax Number </br>
Greece Driver's License Number </br>
Greece National ID Card </br>
Greece Social Security Number (AMKA) </br>
Greek Tax Identification Number </br>
Hong Kong Identity Card (HKID) number </br>
Hungarian Social Security Number (TAJ) </br>
Hungarian Value Added Tax Number </br>
Hungary Driver's License Number </br>
Hungary Personal Identification Number </br>
Hungary Tax Identification Number </br>
IBAN </br>
India Driver's License Number </br>
India GST number </br>
India Permanent Account Number </br>
India Unique Identification (Aadhaar) number </br>
India Voter Id Card </br>
Indonesia Drivers License Number </br>
Indonesia Identity Card (KTP) Number </br>
Ireland Driver's License Number </br>
Ireland Personal Public Service (PPS) Number </br>
Israel Bank Account Number </br>
Israel National ID Number </br>
Italy Driver's license Number </br>
Italy Fiscal Code </br>
Italy Value Added Tax </br>
Japan Bank Account Number </br>
Japan Driver's License Number </br>
Japan Residence Card Number </br>
Japan Resident Registration Number </br>
Japan Social Insurance Number </br>
Japanese My Number Corporate </br>
Japanese My Number Personal </br>
Latvia Driver's License Number </br>
Latvia Personal Code </br>
Lithuania Driver's License Number </br>
Lithuania Personal Code </br>
Luxembourg Driver's License Number </br>
Luxembourg National Identification Number (Natural persons) </br>
Luxembourg National Identification Number (Non-natural persons) </br>
Malaysia ID Card Number </br>
Malta Driver's License Number </br>
Malta Identity Card Number </br>
Malta Tax ID Number </br>
Mexico Unique Population Registry Code (CURP) </br>
Netherlands Citizen's Service (BSN) Number </br>
Netherlands Driver's License Number </br>
Netherlands Tax Identification Number </br>
Netherlands Value Added Tax Number </br>
New Zealand Bank Account Number </br>
New Zealand Driver License Number </br>
New Zealand Inland Revenue Number </br>
Newzealand Social Welfare Number </br>
Norway Identification Number </br>
Philippines National ID </br>
Philippines Passport Number </br>
Philippines Unified Multi-Purpose ID number </br>
Poland Driver's License Number </br>
Poland Identity Card </br>
Poland National ID (PESEL) </br>
Poland Tax Identification Number </br>
Polish REGON Number </br>
Portugal Citizen Card Number </br>
Portugal Driver's License Number </br>
Portugal Tax Identification Number </br>
Qatari ID Card Number </br>
Romania Driver's License Number </br>
Romania Personal Numerical Code (CNP) </br>
Saudi Arabia National ID </br>
Singapore Driving License Number </br>
Singapore National Registration Identity Card (NRIC) Number </br>
Slovakia Driver's License Number </br>
Slovakia Personal Number </br>
Slovenia Driver's License Number </br>
Slovenia Tax Identification Number </br>
Slovenia Unique Master Citizen Number </br>
South Africa Identification Number </br>
South Korea Driver's License Number </br>
South Korea Resident Registration Number </br>
Spain DNI </br>
Spain Driver's License Number </br>
Spain SSN </br>
Spain Tax Identification Number </br>
Sweden Driver's License Number </br>
Sweden National ID </br>
Sweden Tax Identification Number </br>
SWIFT Code </br>
Swiss SSN AHV Number </br>
Taiwan Resident Certificate (ARC/TARC) </br>
Taiwanese National ID </br>
Thai Citizen ID </br>
Turkish National Identity </br>
U.K. Driver's License Number </br>
U.K. Electoral Number </br>
U.K. NHS Number </br>
U.K. NINO </br>
U.K. Unique Taxpayer Reference Number </br>
U.S. Bank Account Number </br>
U.S. Driver's License Number </br>
U.S. Individual Taxpayer Identification Number (ITIN) </br>
U.S. Social Security Number </br>
UAE Identity Card Number </br>

2
windows/client-management/toc.yml
View File

@ -52,6 +52,8 @@ items:
href: manage-windows-copilot.md
- name: Manage Recall
href: manage-recall.md
- name: Reference for sensitive information filtering in Recall
href: recall-sensitive-information-filtering.md
- name: Secured-Core PC Configuration Lock
href: config-lock.md
- name: Certificate renewal

2
windows/configuration/cellular/provisioning-apn.md
View File

@ -2,7 +2,7 @@
title: Configure cellular settings
description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
ms.topic: concept-article
ms.date: 04/23/2024
ms.date: 12/05/2024
---
# Configure cellular settings

2
windows/configuration/index.yml
View File

@ -11,7 +11,7 @@ metadata:
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.date: 04/25/2024
ms.date: 12/05/2024
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new

4
windows/configuration/start/index.md
View File

@ -1,8 +1,8 @@
---
title: Configure the Start menu
title: Configure The Windows Start Menu With Policy Settings
description: Learn how to configure the Windows Start menu to provide quick access to the tools and applications that users need most.
ms.topic: overview
ms.date: 04/10/2024
ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
ms.collection:
- essentials-manage

4
windows/configuration/start/layout.md
View File

@ -1,8 +1,8 @@
---
title: Customize the Start layout
title: Customize The Start Layout For Managed Windows Devices
description: Learn how to customize the Windows Start layout, export its configuration, and deploy the customization to other devices.
ms.topic: how-to
ms.date: 04/10/2024
ms.date: 12/02/2024
zone_pivot_groups: windows-versions-11-10
appliesto:
---

2
windows/configuration/start/xsd.md
View File

@ -2,7 +2,7 @@
title: Start XML Schema Definition (XSD)
description: Start XSD reference article.
ms.topic: reference
ms.date: 04/10/2024
ms.date: 12/02/2024
appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
---

4
windows/configuration/store/index.md
View File

@ -1,8 +1,8 @@
---
title: Configure access to the Microsoft Store app
title: Configure Access To The Microsoft Store App For Windows Devices
description: Learn how to configure access to the Microsoft Store app.
ms.topic: how-to
ms.date: 03/13/2024
ms.date: 12/02/2024
---
# Configure access to the Microsoft Store app

2
windows/configuration/taskbar/xsd.md
View File

@ -2,7 +2,7 @@
title: Windows Taskbar XML Schema Definition (XSD)
description: Reference article about the Taskbar XML schema definition (XSD).
ms.topic: reference
ms.date: 11/07/2024
ms.date: 11/11/2024
---
# Taskbar XML Schema Definition (XSD)

2
windows/configuration/windows-spotlight/index.md
View File

@ -2,7 +2,7 @@
title: Configure Windows spotlight
description: Learn how to configure Windows spotlight using Group Policy and mobile device management (MDM) settings.
ms.topic: how-to
ms.date: 04/23/2024
ms.date: 12/05/2024
ms.author: paoloma
author: paolomatarazzo
appliesto:

8
windows/deployment/do/mcc-ent-deploy-to-linux.md
View File

@ -26,6 +26,10 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m
1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note]
>* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Run the provisioning command on the host machine.
@ -42,6 +46,10 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
1. Save the resulting output. These values will be passed as parameters within the provisioning command.
1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note]
>* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
1. Replace the values in the following provisioning command before running it on the host machine.

42
windows/deployment/do/mcc-ent-deploy-to-windows.md
View File

@ -17,7 +17,7 @@ appliesto:
This article describes how to deploy Microsoft Connected Cache for Enterprise and Education caching software to a Windows host machine.
Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine.
Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [local user account](https://support.microsoft.com/topic/20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine.
Before deploying Connected Cache to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your Connected Cache Azure resource](mcc-ent-create-resource-and-cache.md).
@ -26,14 +26,25 @@ Before deploying Connected Cache to a Windows host machine, ensure that the host
# [Azure portal](#tab/portal)
1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the archive onto the host machine.
>[!Note]
>* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller)
1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note]
>* If you are deploying your cache node to a Windows host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePemFileName "mycert.pem"` to the provisioning command.
1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account.
1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account.
For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`.
If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
>[!Note]
>* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`.
1. Run the provisioning command on the host machine.
@ -48,16 +59,27 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
```
1. Save the resulting output. These values will be passed as parameters within the provisioning command.
1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine.
>[!Note]
>* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller)
1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
>[!Note]
>* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePath "path/to/pem/file"` to the provisioning command.
1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account.
1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account.
For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, the `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`.
If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
1. Replace the values in the following provisioning command before running it on the host machine. **Note**: `-mccLocalAccountCredential $myLocalAccountCredential` is only needed if you're using a Local User account as the Connected Cache runtime account.
>[!Note]
>* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`.
1. Replace the values in the following provisioning command before running it on the host machine.
```powershell-interactive
./provisionmcconwsl.ps1 -installationFolder c:\mccwsl01 -customerid [enter mccResourceId here] -cachenodeid [enter cacheNodeId here] -customerkey [enter customerKey here] -registrationkey [enter registration key] -cacheDrives "/var/mcc,enter drive size" -shouldUseProxy [enter true if present, enter false if not] -proxyurl "http://[enter proxy host name]:[enter port]" -mccRunTimeAccount $User -mccLocalAccountCredential $myLocalAccountCredential

32
windows/deployment/do/mcc-ent-monitoring.md
View File

@ -18,25 +18,25 @@ ms.date: 10/30/2024
Tracking the status and performance of your Connected Cache node is essential to making sure you're getting the most out of the service.
For basic monitoring, navigate to the **Overview** tab. Here you'll be able to view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed.
For basic monitoring, navigate to the **Overview** tab. Here you can view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed. You can view more details about each cache node by navigating to the **Cache Nodes** section under the **Cache Node Management** tab. This page displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID.
For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you'll be able to access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts.
For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you can access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts.
Between the two monitoring sections, you'll be able to gather essential insights into the health, performance, and efficiency of your Connected Cache nodes.
Using the two monitoring sections, you can gather essential insights into the health, performance, and efficiency of your Connected Cache nodes.
## Basic Monitoring
### Cache node summary
Below are the metrics you'll find in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
Below are the metrics found in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
![Screenshot of cache node summary in the Azure portal interface.](../images/mcc-ent-cache-node-summary.png)
| Metric | Description |
| --- | --- |
| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as healthy. |
| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as unhealthy. |
| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from CDN endpoints in the last 24 hours. |
| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as healthy. |
| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as unhealthy. |
| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from Content Delivery Network (CDN) endpoints in the last 24 hours. |
| Max out | The minimum egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
| Average in | The average ingress in Mbps that your node has pulled from CDN endpoints in the last 24 hours. |
| Average out | The average egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
@ -65,6 +65,20 @@ This chart displays the volume of each supported content type in bytes (B) that
The content types displayed in the chart each have a distinct color and are sorted in descending order of volume. The bar chart is stacked such that you can visually compare total volume being delivered at different points in time.
### Cache node details
The **Cache Nodes** section under the **Cache Node Management** tab displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID.
![Screenshot of cache node details in the Azure portal interface.](../images/mcc-ent-cache-node-details.png)
| Metric | Description |
| --- | --- |
| Cache node name | The user-defined name of the cache node. |
| Status | The heartbeat status of the cache node. |
| OS | The host machine OS that this cache node is compatible with. |
| Software version | The version number of the cache node's Connected Cache container. |
| Cache node ID | The unique identifier of the cache node. |
## Advanced Monitoring
To expand upon the metrics shown in the Overview tab, navigate to the **Metrics** tab in the left side toolbar of Azure portal.
@ -79,13 +93,13 @@ Listed below are the metrics you can access in this section:
### Customizable Dashboards
Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that will notify you if your Connected Cache node dips in performance.
Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that notify you if your Connected Cache node dips in performance.
Some example scenarios where you would want to set up a custom alert:
- My Connected Cache node is being shown as unhealthy and I want to know exactly when it stopped egressing last
- A new Microsoft Word update was released last night and I want to know if my Connected Cache node is helping deliver this content to my Windows devices
## Additional Metrics
## Client-Side Metrics
Your Connected Cache node can keep track of how much content has been sent to requesting Windows devices, but the node can't track whether the content was successfully received by the device. For more information on accessing client-side data from your Windows devices, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md).

71
windows/deployment/do/mcc-ent-troubleshooting.md
View File

@ -19,6 +19,18 @@ ms.date: 10/30/2024
This article contains instructions on how to troubleshoot different issues you may encounter while using Connected Cache. These issues are categorized by the task in which they may be encountered.
## Known issues
This section describes known issues with the latest release of Microsoft Connected Cache for Enterprise and Education. See the [Release Notes page](mcc-ent-release-notes.md) for more details on the fixes included in the latest release.
### Cache node monitoring chart in the Azure portal user interface displays incorrect information
### Script provisionmcconwsl.ps1 fails when executed on a Windows 11 host machine configured to use Japanese language
In the Connected Cache installation script (provisionmcconwsl.ps1), the check processing is executed until the value of the last execution code (Last Result) of the installation task becomes 0 in the following processing. However, in Japanese OS, the return value is null because "Last Result" is displayed, and an exception occurs.
As a temporary workaround, the above error doesn't occur by changing the language setting of the local administrator user from Japanese to English and then executing the script.
## Steps to obtain an Azure subscription ID
<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
@ -38,7 +50,7 @@ If you're encountering a validation error, check that you have filled out all re
If your configuration doesn't appear to be taking effect, check that you have selected the **Save** option at the top of the configuration page in the Azure portal user interface.
If you have changed the proxy configuration, you will need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect.
If you have changed the proxy configuration, you'll need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect.
## Troubleshooting cache nodes created during early preview
@ -50,7 +62,7 @@ As such, we strongly recommend you [recreate your existing resources in Azure](m
### Collecting Windows-hosted installation logs
[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts will attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default).
[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default).
There are three types of installation log files:
@ -60,9 +72,19 @@ There are three types of installation log files:
The Registered Task Transcript is usually the most useful for diagnosing the installation issue.
### WSL2 fails to install with message "A specified logon session does not exist"
### Collecting other Windows-hosted logs
If you are encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you are logged on as a local administrator and running the command from an elevated PowerShell window.
Once the cache node has been successfully installed on the Windows host machine, it will periodically write log files to the installation directory (`C:\mccwsl01\` by default).
You can expect to see the following types of log files:
1. **WSL_Mcc_Monitor_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Monitor_Task" scheduled task that is responsible for ensuring that the Connected Cache continues running.
1. **WSL_Mcc_UserUninstall_Transcript**: This log file records the output of the "uninstallmcconwsl.ps1" script that the user can run to uninstall MCC software from the host machine.
1. **WSL_Mcc_Uninstall_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Uninstall_Task" scheduled task that is responsible for uninstalling the MCC software from the host machine when called by the "uninstallmcconwsl.ps1" script.
### WSL2 fails to install with message "A specified logon session doesn't exist"
If you're encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you're logged on as a local administrator and running the command from an elevated PowerShell window.
### Updating the WSL2 kernel
@ -94,6 +116,20 @@ You can use Task Scheduler on the host machine to check the status of this sched
> [!Note]
> If the password of the runtime account changes, you'll need to update the user in all of the Connected Cache scheduled tasks in order for the Connected Cache node to continue functioning properly.
### Cache node successfully deployed but not serving requests
If your cache node isn't responding to requests outside of localhost, it may be because the host machine's port forwarding rules weren't correctly set during Connected Cache installation.
To check your host machine's port forwarding rules, use the following PowerShell command.
`netsh interface portproxy show v4tov4`
If you don't see any port forwarding rules for port 80 to 0.0.0.0, you can run the following command from an elevated PowerShell instance to set the proper forwarding to WSL.
`netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=<WSL IP Address>`
You can retrieve the WSL IP Address from the `wslip.txt` file that should be present in the installation directory you specified in the Connected Cache provisioning command ("c:\mccwsl01" by default).
## Troubleshooting cache node deployment to Linux host machine
[Deploying a Connected Cache node to a Linux host machine](mcc-ent-deploy-to-linux.md) involves running a series of Bash scripts contained within the Linux provisioning package.
@ -106,6 +142,31 @@ If it shows the **edgeAgent** and **edgeHub** containers but doesn't show **MCC*
You can also reboot the IoT Edge runtime using `sudo systemctl restart iotedge`.
## Generating cache node diagnostic support bundle
You can generate a support bundle with detailed diagnostic information by running the `collectMccDiagnostics.sh` script included in the installation package.
For Windows host machines, you'll need to do the following:
1. Launch a PowerShell process as the account specified as the runtime account during the Connected Cache install
1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh`
1. Run `wsl bash collectmccdiagnostics.sh` to generate the diagnostic support bundle
1. Once the script has completed, note the console output describing the location of the diagnostic support bundle
For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz"
1. Run the `wsl cp` command to copy the support bundle from the location within the Ubuntu distribution to the Windows host OS
For example, `wsl cp /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz /mnt/c/mccwsl01/SupportBundles`
For Linux host machines, you'll need to do the following:
1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh`
1. Run `collectmccdiagnostics.sh` to generate the diagnostic support bundle
1. Once the script has completed, note the console output describing the location of the diagnostic support bundle
For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz"
## Troubleshooting cache node monitoring
Connected Cache node status and performance can be [monitored using the Azure portal user interface](mcc-ent-monitoring.md).
@ -116,4 +177,4 @@ If the issue persists, check that you have configured the Timespan and Cache nod
## Diagnose and Solve
You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource will walk you through a few prompts to help narrow down the solution to your issue.
You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource walks you through a few prompts to help narrow down the solution to your issue.

BIN
windows/deployment/images/mcc-ent-cache-node-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

24
windows/deployment/mbr-to-gpt.md
View File

@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.service: windows-client
author: frankroj
ms.author: frankroj
ms.date: 11/16/2023
ms.date: 11/26/2024
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@ -29,10 +29,10 @@ See the following video for a detailed description and demonstration of MBR2GPT.
> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o]
You can use MBR2GPT to:
MBR2GPT can be used to:
- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
- Convert any attached MBR-formatted system disk to the GPT partition format. The tool can't be used to convert non-system disks from MBR to GPT.
- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, the existing protectors need to be deleted and then recreated.
- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
@ -41,7 +41,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s
>
> After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
>
> Make sure that your device supports UEFI before attempting to convert the disk.
> Make sure the device supports UEFI before attempting to convert the disk.
## Disk Prerequisites
@ -93,7 +93,7 @@ MBR2GPT: Validation completed successfully
In the following example:
1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
1. Using DiskPart the current disk partition layout is displayed before the conversion. Three partitions are present on the MBR disk (disk 0):
- A system reserved partition.
- A Windows partition.
@ -110,7 +110,7 @@ In the following example:
1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
As noted in the output from the MBR2GPT tool, changes to the computer firmware need to be made so that the new EFI system partition boots properly.
<br>
<details>
@ -267,7 +267,7 @@ If the existing MBR system partition isn't reused for the EFI system partition,
> [!IMPORTANT]
>
> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
> If the existing MBR system partition isn't reused for the EFI system partition, it might be assigned a drive letter. If this small partition isn't going to be used, its drive letter must be manually hidden.
### Partition type mapping and partition attributes
@ -290,11 +290,11 @@ For more information about partition types, see:
### Persisting drive letter assignments
The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that correct assignment of the drive letter can be manually performed.
> [!IMPORTANT]
>
> This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
> This code runs after the layout conversion takes place, so the operation can't be undone at this stage.
The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following:
@ -398,7 +398,7 @@ The partition type can be determined in one of three ways:
#### Windows PowerShell
You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type:
The following command can be entered at a Windows PowerShell prompt to display the disk number and partition type:
```powershell
Get-Disk | ft -Auto
@ -417,7 +417,7 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To
#### Disk Management tool
You can view the partition type of a disk by using the Disk Management tool:
The partition type of a disk can be viewed by using the Disk Management tool:
1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**.

10
windows/deployment/update/optional-content.md
View File

@ -70,9 +70,9 @@ Most commercial organizations understand the pain points outlined above, and dis
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
The [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/blog/windows-itpro-blog/upgrading-windows-10-devices-with-installation-media-different-than-the-original/746126).
### Option 2: Use WSUS with UUP Integration
@ -115,7 +115,7 @@ You can customize the Windows image in these ways:
- Adding or removing languages
- Adding or removing Features on Demand
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-windows-10-media-with-dynamic-update-packages/982477). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
### Option 5: Install language features during deployment
@ -151,11 +151,9 @@ For more information about the Unified Update Platform and the approaches outlin
- [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
- [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
- [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/)
- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
## Sample scripts

4
windows/deployment/windows-autopatch/TOC.yml
View File

@ -68,6 +68,8 @@
href: manage/windows-autopatch-windows-update-policies.md
- name: Programmatic controls for expedited Windows quality updates
href: manage/windows-autopatch-windows-quality-update-programmatic-controls.md
- name: Hotpatch updates
href: manage/windows-autopatch-hotpatch-updates.md
- name: Driver and firmware updates
href: manage/windows-autopatch-manage-driver-and-firmware-updates.md
items:
@ -116,6 +118,8 @@
href: monitor/windows-autopatch-windows-quality-update-trending-report.md
- name: Reliability report
href: monitor/windows-autopatch-reliability-report.md
- name: Hotpatch quality update report
href: monitor/windows-autopatch-hotpatch-quality-update-report.md
- name: Windows feature and quality update device alerts
href: monitor/windows-autopatch-device-alerts.md
- name: Policy health and remediation

10
windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
View File

@ -36,7 +36,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios:
### Device readiness checks available for each scenario
| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) |
| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker) |
| ----- | ----- |
| <ul><li>Windows OS (build, architecture, and edition)</li></li><li>Managed by either Intune or ConfigMgr co-management</li><li>ConfigMgr co-management workloads</li><li>Last communication with Intune</li><li>Personal or non-Windows devices</li></ul> | <ul><li>Windows OS (build, architecture, and edition)</li><li>Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict</li><li>Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)</li><li>Internet connectivity</li></ul> |
@ -66,7 +66,7 @@ A healthy or active device in Windows Autopatch is:
- Actively sending data
- Passes all post-device registration readiness checks
The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** are subcomponents of the overall Windows Autopatch service.
The following list of post-device registration readiness checks is performed in Windows Autopatch:
@ -90,8 +90,8 @@ See the following diagram for the post-device registration readiness checks work
| Step | Description |
| ----- | ----- |
| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
| **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
| **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker agents perform readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
| **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show in the **Ready** tab. |
@ -99,7 +99,7 @@ See the following diagram for the post-device registration readiness checks work
| Question | Answer |
| ----- | ----- |
| **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.</li><li>The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
| **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** agents collect device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service.</li><li>The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch provides information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to appear in the **Ready** tab.</p>|
## Additional resources

78
windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Hotpatch updates
description: Use Hotpatch updates to receive security updates without restarting your device
ms.date: 11/19/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: aaroncz
ms.reviewer: adnich
ms.collection:
- highpri
- tier1
---
# Hotpatch updates (public preview)
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
> [!IMPORTANT]
> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
## Key benefits
- Hotpatch updates streamline the installation process and enhance compliance efficiency.
- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
## Eligible devices
To benefit from Hotpatch updates, devices must meet the following prerequisites:
- Operating System: Devices must be running Windows 11 24H2 or later.
- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
## Ineligible devices
Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.
LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.
> [!NOTE]
> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
## Release cycles
For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
- Baseline Release Months: January, April, July, October
- Hotpatch Release Months: February, March, May, June, August, September, November, December
## Enroll devices to receive Hotpatch updates
> [!NOTE]
> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
**To enroll devices to receive Hotpatch updates:**
1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Devices** from the left navigation menu.
1. Under the **Manage updates** section, select **Windows updates**.
1. Go to the **Quality updates** tab.
1. Select **Create**, and select **Windows quality update policy (preview)**.
1. Under the **Basics** section, enter a name for your new policy and select Next.
1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**.
1. Select the appropriate Scope tags or leave as Default and select **Next**.
1. Assign the devices to the policy and select **Next**.
1. Review the policy and select **Create**.
These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
> [!NOTE]
> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings will still apply.

5
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed
ms.date: 10/30/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -120,6 +120,9 @@ For more information about Windows feature update policies that are created for
## Pause and resume a release
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
> [!IMPORTANT]
> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see[how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

5
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality updates overview
description: This article explains how Windows quality updates are managed
ms.date: 10/30/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: conceptual
@ -66,6 +66,9 @@ For the deployment rings that pass quality updates deferral date, the OOB releas
## Pause and resume a release
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
If Windows Autopatch detects a significant issue with a release, we might decide to pause that release.

67
windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Hotpatch quality update report
description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
ms.date: 11/19/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: aaroncz
ms.reviewer: adnich
ms.collection:
- highpri
- tier1
---
# Hotpatch quality update report (public preview)
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
> [!IMPORTANT]
> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
**To view the Hotpatch quality update status report:**
1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
1. Select the **Reports** tab.
1. Select **Hotpatch quality updates (preview)**.
> [!NOTE]
> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
The Hotpatch quality update report provides a visual representation of the update status trend for all devices over the last 90 days.
### Default columns
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available as default columns in the Hotpatch quality update report:
| Column name | Description |
| ----- | ----- |
| Quality update policy | The name of the policy. |
| Device name | Total number of devices in the policy. |
| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Hotpatched | Total devices that successfully received a Hotpatch update. |
| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
| % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number |
| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
## Report options
The following options are available:
| Option | Description |
| ----- | ----- |
| By percentage | Select **By percentage** to show your trending graphs and indicators by percentage. |
| By device count | Select **By device count** to show your trending graphs and indicators by numeric value. |

9
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update status report
description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 09/16/2024
description: Provides a per device view of the current Windows OS upgrade status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices.
**To view the Feature update status report:**
@ -32,6 +32,9 @@ The Feature update status report provides a per device view of the current Windo
### Default columns
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available as default columns in the Feature update status report:
| Column name | Description |

9
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature update summary dashboard
description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 09/16/2024
description: Provides a broader view of the current Windows OS upgrade status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices.
The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
@ -31,6 +31,9 @@ The first part of the Summary dashboard provides you with an all-devices trend r
## Report information
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available in the Summary dashboard:
| Column name | Description |

6
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
ms.date: 09/16/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -27,7 +27,7 @@ The Windows quality reports provide you with information about:
- Device update health
- Device update alerts
Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
Together, these reports provide insight into the quality update state and compliance of Intune devices.
The Windows quality report types are organized into the following focus areas:
@ -61,7 +61,7 @@ Users with the following permissions can access the reports:
## About data latency
The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours.
The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours.
## Windows quality and feature update statuses

11
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update status report
description: Provides a per device view of the current update status for all Windows Autopatch managed devices.
ms.date: 09/16/2024
description: Provides a per device view of the current update status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices.
The Quality update status report provides a per device view of the current update status for all Intune devices.
**To view the Quality update status report:**
@ -29,12 +29,15 @@ The Quality update status report provides a per device view of the current updat
1. Select**Quality update status**.
> [!NOTE]
> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
### Default columns
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available as default columns in the Quality update status report:
| Column name | Description |

11
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update summary dashboard
description: Provides a summary view of the current update status for all Windows Autopatch managed devices.
ms.date: 09/16/2024
description: Provides a summary view of the current update status for all Intune devices.
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -19,7 +19,7 @@ ms.collection:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices.
The Summary dashboard provides a summary view of the current update status for all Intune devices.
**To view the current update status for all your enrolled devices:**
@ -27,10 +27,13 @@ The Summary dashboard provides a summary view of the current update status for a
1. Navigate to**Reports**>**Windows Autopatch**>**Windows quality updates**.
> [!NOTE]
> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
> The data in this report is refreshed every four hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
## Report information
> [!IMPORTANT]
> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
The following information is available in the Summary dashboard:
| Column name | Description |

6
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 09/27/2024
ms.date: 11/20/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -49,7 +49,9 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. |
| [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. |
| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. |
| [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
> [!IMPORTANT]
> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
@ -70,7 +72,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
| [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. |
| [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
## Communications

4
windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
View File

@ -87,7 +87,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Microsoft Edge update policies
> [!IMPORTANT]
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
- Windows Autopatch - Edge Update Channel Stable
- Windows Autopatch - Edge Update Channel Beta
@ -100,7 +100,7 @@ The following groups target Windows Autopatch configurations to devices and mana
## Driver updates for Windows 10 and later
> [!IMPORTANT]
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
- Windows Autopatch - Driver Update Policy [Test]
- Windows Autopatch - Driver Update Policy [First]

10
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2024
description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
ms.date: 09/27/2024
ms.date: 11/19/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: whats-new
@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## November 2024
### November feature releases or updates
| Article | Description |
| ----- | ----- |
| Hotpatch | <ul><li>[Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md)</li><li>[Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md)</li></ul> |
## September 2024
### September feature releases or updates

28
windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
View File

@ -139,22 +139,22 @@ The Microsoft Root certificates can be allowed and denied in policy using 'WellK
| 0| None | N/A |
| 1| Unknown | N/A |
| 2 | Self-Signed | N/A |
| 3 | Microsoft Authenticode(tm) Root Authority | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
| 4 | Microsoft Product Root 1997 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
| 5 | Microsoft Product Root 2001 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
| 6 | Microsoft Product Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 7 | Microsoft Standard Root 2011 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
| 8 | Microsoft Code Verification Root 2006 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
| 3 | Microsoft Authenticode(tm) Root Authority | `3082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
| 4 | Microsoft Product Root 1997 | `3082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
| 5 | Microsoft Product Root 2001 | `3082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
| 6 | Microsoft Product Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 7 | Microsoft Standard Root 2011 | `3082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
| 8 | Microsoft Code Verification Root 2006 | `3082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
| 9 | Microsoft Test Root 1999 | `3081DF300D06092A864886F70D01010105000381CD003081C90281C100A9AA83586DB5D30C4B5B8090E5C30F280C7E3D3C24C52956638CEEC7834AD88C25D30ED312B7E1867274A78BFB0F05E965C19BD856C293F0FBE95A48857D95AADF0186B733334656CB5B7AC4AFA096533AE9FB3B78C1430CC76E1C2FD155F119B23FF8D6A0C724953BC845256F453A464FD2278BC75075C6805E0D9978617739C1B30F9D129CC4BB327BB24B26AA4EC032B02A1321BEED24F47D0DEAAA8A7AD28B4D97B54D64BAFB46DD696F9A0ECC5377AA6EAE20D6219869D946B96432D4170203010001`|
| 0A | Microsoft Test Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 0B | Microsoft DMD Test Root 2005 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
| 0C | Microsoft DMDRoot 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
| 0D | Microsoft DMD Preview Root 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
| 0E | Microsoft Flight Root 2014 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
| 0F | Microsoft Third Party Marketplace Root | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
| 0A | Microsoft Test Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
| 0B | Microsoft DMD Test Root 2005 | `3082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
| 0C | Microsoft DMDRoot 2005 | `3082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
| 0D | Microsoft DMD Preview Root 2005 | `3082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
| 0E | Microsoft Flight Root 2014 | `3082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
| 0F | Microsoft Third Party Marketplace Root | `3082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
| 14 | Microsoft Trusted Root Store | N/A |
| 15 | Microsoft OEM Root Certificate Authority 2017 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
| 15 | Microsoft OEM Root Certificate Authority 2017 | `3082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `3082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
For well-known roots, the TBS hashes for the certificates are baked into the code for App Control for Business. For example, they don't need to be listed as TBS hashes in the policy file.

14
windows/security/application-security/index.md
View File

@ -1,14 +0,0 @@
---
title: Windows application security
description: Get an overview of application security in Windows
ms.date: 08/02/2023
ms.topic: conceptual
---
# Windows application security
Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
Learn more about application security features in Windows.
[!INCLUDE [application](../includes/sections/application.md)]

2
windows/security/application-security/toc.yml
View File

@ -1,6 +1,4 @@
items:
- name: Overview
href: index.md
- name: Application and driver control
href: application-control/toc.yml
- name: Application isolation

79
windows/security/book/application-security-application-and-driver-control.md
View File

@ -1,68 +1,77 @@
---
title: Application and driver control
description: Windows 11 security book - Application and driver control.
title: Windows 11 security book - Application and driver control
description: Application and driver control.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 11/18/2024
---
# Application and driver control
:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
capabilities to build in security from the ground up to protect against breaches and malware.
## Smart App Control
Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Smart App Control][LINK-1]
## App Control for Business
Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
[!INCLUDE [learn-more](includes/learn-more.md)]
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Application Control for Windows][LINK-2]
- [Automatically allow apps deployed by a managed installer with App Control for Business][LINK-3]
- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Administrator protection
## User Account Control
When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. Organizations without MDM can change settings directly
on the device.
When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
apps and prevent inadvertent changes to system settings.
Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
> [!NOTE]
> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)][LINK-5].
## Microsoft vulnerable driver blocklist
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
[!INCLUDE [learn-more](includes/learn-more.md)]
- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
- [Microsoft recommended driver block rules][LINK-4]
## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [What is Trusted Signing](/azure/trusted-signing/overview)
<!--links-->
[LINK-1]: /windows/apps/develop/smart-app-control/overview
[LINK-2]: /windows/security/application-security/application-control/windows-defender-application-control/wdac
[LINK-3]: /windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer
[LINK-4]: /windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
[LINK-5]: /windows/security/identity-protection/user-account-control/how-user-account-control-works

Some files were not shown because too many files have changed in this diff Show More