diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index b34bc4709f..16889b4db0 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -21,6 +21,9 @@ ms.topic: reference > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. @@ -40,6 +43,7 @@ The following list shows the BitLocker configuration service provider nodes: - ./Device/Vendor/MSFT/BitLocker - [AllowStandardUserEncryption](#allowstandarduserencryption) + - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection) - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation) - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) @@ -149,6 +153,63 @@ To disable this policy, use the following SyncML: + +## AllowSuspensionOfBitLockerProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection +``` + + + + +This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + +> [!WARNING] +> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + +The expected values for this policy are: + +0 = Prevent BitLocker Drive Encryption protection from being suspended. +1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevent BitLocker Drive Encryption protection from being suspended. | +| 1 (Default) | This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. | + + + + + + + + ## AllowWarningForOtherDiskEncryption diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 206cf3acd1..a5b1dd75f5 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -772,6 +772,52 @@ Supported Values: String form of request ID. Example format of request ID is GUI + + AllowSuspensionOfBitLockerProtection + + + + + + + + 1 + This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + The format is integer. + The expected values for this policy are: + + 0 = Prevent BitLocker Drive Encryption protection from being suspended. + 1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + 0 + Prevent BitLocker Drive Encryption protection from being suspended. + + + 1 + This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + Status diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 7550924275..9ec146c353 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Defender CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -63,6 +63,7 @@ The following list shows the Defender configuration service provider nodes: - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers) - [IntelTDTEnabled](#configurationinteltdtenabled) - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) + - [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate) - [PassiveRemediation](#configurationpassiveremediation) - [PlatformUpdatesChannel](#configurationplatformupdateschannel) - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) @@ -1808,6 +1809,55 @@ Allow managed devices to update through metered connections. Default is 0 - not + +### Configuration/OobeEnableRtpAndSigUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate +``` + + + + +This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. | +| 0 (Default) | If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. | + + + + + + + + ### Configuration/PassiveRemediation @@ -2481,7 +2531,7 @@ Information about the current status of the threat. The following list shows the | 7 | Removed | | 8 | Cleaned | | 9 | Allowed | -| 10 | No Status (Cleared) | +| 10 | No Status ( Cleared) | @@ -3676,7 +3726,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher -RollbackEngine action rolls back Microsoft Defender engine to its last known good saved version on the computer where you run the command. +RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 4a653a572d..09e0cb692e 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1920,6 +1920,45 @@ The following XML file contains the device description framework (DDF) for the D + + OobeEnableRtpAndSigUpdate + + + + + + + + 0 + This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. + + + 0 + If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. + + + + ThrottleForScheduledScanOnly diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md index e32d2c6c9a..a6be4ec54b 100644 --- a/windows/client-management/mdm/devicepreparation-csp.md +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,6 +31,7 @@ The following list shows the DevicePreparation configuration service provider no - [ClassID](#bootstrapperagentclassid) - [ExecutionContext](#bootstrapperagentexecutioncontext) - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri) + - [MdmAgentInstalled](#mdmagentinstalled) - [MDMProvider](#mdmprovider) - [Progress](#mdmproviderprogress) - [PageEnabled](#pageenabled) @@ -194,6 +195,46 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age + +## MdmAgentInstalled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled +``` + + + + +This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + + + + + + ## MDMProvider diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index c2a8a4aa4e..9d1713e298 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -286,6 +286,29 @@ The following XML file contains the device description framework (DDF) for the D + + MdmAgentInstalled + + + + + + false + This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + + + + + + + + ``` diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index bdae4f4a67..ff2a647808 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,6 +16,9 @@ ms.topic: reference # DMClient CSP +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment. @@ -37,6 +40,10 @@ The following list shows the DMClient configuration service provider nodes: - [Lock](#deviceproviderprovideridconfiglocklock) - [SecureCore](#deviceproviderprovideridconfiglocksecurecore) - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration) + - [ConfigRefresh](#deviceproviderprovideridconfigrefresh) + - [Cadence](#deviceproviderprovideridconfigrefreshcadence) + - [Enabled](#deviceproviderprovideridconfigrefreshenabled) + - [PausePeriod](#deviceproviderprovideridconfigrefreshpauseperiod) - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage) - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext) - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref) @@ -624,6 +631,176 @@ This node, when it is set, tells the client to set how many minutes the device s + +#### Device/Provider/{ProviderID}/ConfigRefresh + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh +``` + + + + +Parent node for ConfigRefresh nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Cadence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence +``` + + + + +This node determines the number of minutes between refreshes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[30-1440]` | +| Default Value | 90 | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Enabled +``` + + + + +This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | ConfigRefresh is enabled. | +| false (Default) | ConfigRefresh is disabled. | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod +``` + + + + +This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1440]` | +| Default Value | 0 | + + + + + + + + #### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index b5ef6feff0..4de7f3bf11 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2947,6 +2947,125 @@ The following XML file contains the device description framework (DDF) for the D + + ConfigRefresh + + + + + + + Parent node for ConfigRefresh nodes + + + + + + + + + + + + + + 99.9.99999 + 1.6 + + + + Enabled + + + + + + + + false + This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + + + + + + + + + true + ConfigRefresh is enabled. + + + false + ConfigRefresh is disabled. + + + LastWrite + + + + Cadence + + + + + + + + 90 + This node determines the number of minutes between refreshes. + + + + + + + + + + + + + + [30-1440] + + + + + PausePeriod + + + + + + + + 0 + This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + + + + + + + + [0-1440] + + + + diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 726ff88fb1..9d5ec3342a 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -4,7 +4,7 @@ description: Learn more about the EnterpriseModernAppManagement CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # EnterpriseModernAppManagement CSP + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../enterprise-app-management.md). > [!NOTE] @@ -273,6 +274,7 @@ Used to perform app installation. + This is a required node. @@ -312,6 +314,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + This is an optional node. > [!NOTE] @@ -329,6 +332,7 @@ This is an optional node. + **Example**: Here's an example for uninstalling an app: @@ -374,6 +378,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -424,6 +429,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -464,6 +470,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -504,6 +511,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -544,6 +552,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -662,6 +671,7 @@ Used to manage licenses for store apps. + This is a required node. @@ -701,6 +711,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -741,6 +752,7 @@ Command to add license. + This is a required node. @@ -780,6 +792,7 @@ Command to get license from the store. + This is a required node. @@ -936,6 +949,7 @@ Used for inventory and app management (post-install). + This is a required node. @@ -975,6 +989,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -1016,6 +1031,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -1057,6 +1073,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -1070,6 +1087,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -1108,6 +1126,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -1147,6 +1166,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -1162,6 +1182,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -1247,6 +1268,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1287,6 +1309,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -1326,6 +1349,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1405,6 +1429,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -1484,6 +1509,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -1562,6 +1588,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -1641,6 +1668,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -1683,6 +1711,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -1723,6 +1752,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -1806,6 +1836,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -1854,6 +1885,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -1909,6 +1941,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -1931,6 +1964,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -2019,6 +2053,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -2294,6 +2329,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -2332,6 +2368,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -2371,6 +2408,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -2386,6 +2424,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -2471,6 +2510,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2511,6 +2551,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -2550,6 +2591,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2629,6 +2671,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -2708,6 +2751,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -2786,6 +2830,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -2865,6 +2910,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -2907,6 +2953,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -2947,6 +2994,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -3030,6 +3078,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -3078,6 +3127,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -3133,6 +3183,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -3155,6 +3206,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -3555,6 +3607,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -3594,6 +3647,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -3675,6 +3729,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3715,6 +3770,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -3754,6 +3810,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3833,6 +3890,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -3912,6 +3970,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -3990,6 +4049,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -4069,6 +4129,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -4111,6 +4172,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -4151,6 +4213,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -4766,6 +4829,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -4814,6 +4878,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -4869,6 +4934,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -4891,6 +4957,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -5253,6 +5320,7 @@ Used to start the Windows Update scan. + This is a required node. @@ -5331,6 +5399,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -5346,6 +5415,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -5391,6 +5461,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -5441,6 +5512,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5481,6 +5553,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5521,6 +5594,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -5561,6 +5635,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -5718,6 +5793,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -5758,6 +5834,7 @@ Command to add license. + This is a required node. @@ -5797,6 +5874,7 @@ Command to get license from the store. + This is a required node. @@ -5992,6 +6070,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -6031,6 +6110,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -6072,6 +6152,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -6085,6 +6166,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -6123,6 +6205,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -6162,6 +6245,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -6177,6 +6261,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -6262,6 +6347,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6302,6 +6388,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -6341,6 +6428,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6420,6 +6508,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -6499,6 +6588,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -6577,6 +6667,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -6656,6 +6747,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -6698,6 +6790,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -6738,6 +6831,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -6821,6 +6915,7 @@ Interior node for all managed app setting values. + > [!NOTE] > This node is only supported in the user context. @@ -6861,6 +6956,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -6875,6 +6971,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -6933,6 +7030,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -6981,6 +7079,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). |Applicability Setting |CSP state |Result | @@ -7036,6 +7135,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -7311,6 +7411,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -7349,6 +7450,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -7388,6 +7490,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -7403,6 +7506,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + ```xml @@ -7484,6 +7588,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7524,6 +7629,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -7563,6 +7669,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7642,6 +7749,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -7721,6 +7829,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. @@ -7801,6 +7910,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -7880,6 +7990,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -7922,6 +8033,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -7962,6 +8074,7 @@ Registered users of the app and the package install state. If the query is at th + Requried. - Not Installed = 0 @@ -8045,6 +8158,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -8084,6 +8198,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -8098,6 +8213,7 @@ This setting only works for apps that support the feature and it's only supporte + The following example sets the value for the 'Server' ```xml @@ -8154,6 +8270,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -8202,6 +8319,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -8531,6 +8649,7 @@ Used to remove packages. + Parameters: - Package @@ -8551,6 +8670,7 @@ Parameters: + **Example**: The following example removes a package for all users: @@ -8632,6 +8752,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -8671,6 +8792,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -8686,6 +8808,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: ```xml @@ -8769,6 +8892,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8809,6 +8933,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -8848,6 +8973,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8927,6 +9053,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -9006,6 +9133,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -9084,6 +9212,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -9163,6 +9292,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -9205,6 +9335,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -9245,6 +9376,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -9328,6 +9460,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -9367,6 +9500,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -9381,6 +9515,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -9439,6 +9574,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -9487,6 +9623,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -9816,6 +9953,7 @@ Used to start the Windows Update scan. + This is a required node. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index c5b31e1372..dd6206ae17 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,9 +16,6 @@ ms.topic: reference # Firewall CSP -> [!IMPORTANT] -> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. - The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. @@ -99,11 +96,11 @@ The following list shows the Firewall configuration service provider nodes: - [HyperVFirewallRules](#mdmstorehypervfirewallrules) - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename) - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction) - - [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype) - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection) - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled) - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges) - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges) + - [Name](#mdmstorehypervfirewallrulesfirewallrulenamename) - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority) - [Profiles](#mdmstorehypervfirewallrulesfirewallrulenameprofiles) - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol) @@ -111,12 +108,6 @@ The following list shows the Firewall configuration service provider nodes: - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges) - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus) - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid) - - [HyperVLoopbackRules](#mdmstorehypervloopbackrules) - - [{RuleName}](#mdmstorehypervloopbackrulesrulename) - - [DestinationVMCreatorId](#mdmstorehypervloopbackrulesrulenamedestinationvmcreatorid) - - [Enabled](#mdmstorehypervloopbackrulesrulenameenabled) - - [PortRanges](#mdmstorehypervloopbackrulesrulenameportranges) - - [SourceVMCreatorId](#mdmstorehypervloopbackrulesrulenamesourcevmcreatorid) - [HyperVVMSettings](#mdmstorehypervvmsettings) - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid) - [AllowHostPolicyMerge](#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge) @@ -1791,7 +1782,7 @@ Specifies the description of the rule. -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -1935,7 +1926,7 @@ If not specified - a new rule is disabled by default. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -2087,6 +2078,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -2166,7 +2158,8 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - + +Specifies the friendly name of the firewall rule. @@ -2194,7 +2187,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 22H2 [10.0.19045.2913] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1880] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1635] and later | @@ -2205,7 +2198,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. -Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". +Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -2431,6 +2424,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -3122,7 +3116,9 @@ Unique alpha numeric identifier for the rule. The rule name must not include a f -Specifies the action for the rule. +Specifies the action the rule enforces: +0 - Block +1 - Allow. @@ -3132,68 +3128,27 @@ Specifies the action for the rule. **Description framework properties**: -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type -``` - - - - -Specifies the action the rule enforces: -0 - Block -1 - Allow. - - - - - - - -**Description framework properties**: - | Property name | Property value | |:--|:--| | Format | int | | Access Type | Get, Replace | | Default Value | 1 | - + - + **Allowed values**: | Value | Description | |:--|:--| | 0 | Block. | | 1 (Default) | Allow. | - + - + - + - + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction @@ -3212,7 +3167,7 @@ Specifies the action the rule enforces: -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -3385,6 +3340,45 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name +``` + + + + +Specifies the friendly name of the Hyper-V Firewall rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority @@ -3402,7 +3396,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the -0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. +This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -3416,7 +3410,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-255]` | +| Allowed Values | Range: `[0-65535]` | @@ -3679,255 +3673,6 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G - -### MdmStore/HyperVLoopbackRules - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules -``` - - - - -A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -#### MdmStore/HyperVLoopbackRules/{RuleName} - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName} -``` - - - - -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Add, Delete, Get, Replace | -| Atomic Required | True | -| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | -| Allowed Values | Regular Expression: `^[^|/]*$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/Enabled - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/Enabled -``` - - - - -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | bool | -| Access Type | Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disabled. | -| 1 | Enabled. | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges -``` - - - - -Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `^[0-9,-]+$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - ### MdmStore/HyperVVMSettings @@ -4026,7 +3771,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID. -This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. +This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -4075,7 +3820,7 @@ This value is used as an on/off switch. If this value is true, applicable host f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4125,7 +3870,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4213,7 +3958,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4263,7 +4008,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4313,7 +4058,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4363,7 +4108,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4412,7 +4157,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4434,8 +4179,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | @@ -4548,7 +4293,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4598,7 +4343,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4648,7 +4393,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4698,7 +4443,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4785,7 +4530,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4835,7 +4580,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4885,7 +4630,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4935,7 +4680,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4957,8 +4702,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 4eb6ee5f96..6fd0b6982d 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2871,11 +2871,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2918,7 +2918,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2964,7 +2964,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3012,7 +3012,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. + This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -3063,7 +3063,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3096,7 +3096,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3126,7 +3126,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3142,7 +3142,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3172,7 +3172,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3187,7 +3187,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3217,7 +3217,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3252,7 +3252,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3285,7 +3285,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3315,7 +3315,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3331,7 +3331,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3361,7 +3361,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3376,7 +3376,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3406,7 +3406,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3441,7 +3441,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3457,11 +3457,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -3474,7 +3474,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3504,7 +3504,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3520,7 +3520,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3550,7 +3550,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3565,7 +3565,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3595,7 +3595,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3818,7 +3818,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3846,7 +3849,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3878,6 +3884,8 @@ ServiceName String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma. To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code. The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid. + + When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP). @@ -3892,7 +3900,7 @@ ServiceName - 10.0.19043 + 10.0.20348 1.0 @@ -3909,7 +3917,7 @@ ServiceName - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4172,7 +4180,7 @@ If not specified - a new rule is disabled by default. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4328,7 +4336,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". + Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -4342,7 +4350,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 99.9.99999 + 10.0.19045.2913, 10.0.22621.1635, 10.0.22000.1880 1.1 @@ -4380,6 +4388,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. + Specifies the friendly name of the firewall rule. @@ -4457,7 +4466,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. + This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -4471,7 +4480,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - [0-255] + [0-65535] @@ -4483,7 +4492,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4577,7 +4586,7 @@ If not specified the detault is OUT. - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4695,10 +4704,14 @@ An IPv6 address range in the format of "start address - end address" with no spa + - Specifies the action for the rule. + 1 + Specifies the action the rule enforces: +0 - Block +1 - Allow - + @@ -4707,44 +4720,19 @@ An IPv6 address range in the format of "start address - end address" with no spa - + + + + 0 + Block + + + 1 + Allow + + - - Type - - - - - - 1 - Specifies the action the rule enforces: -0 - Block -1 - Allow - - - - - - - - - - - - - - - 0 - Block - - - 1 - Allow - - - - Enabled @@ -4785,7 +4773,7 @@ If not specified - a new rule is disabled by default. - Provides information about the specific verrsion of the rule in deployment for monitoring purposes. + Provides information about the specific version of the rule in deployment for monitoring purposes. @@ -4840,62 +4828,8 @@ If not specified - a new rule is disabled by default. - - - - HyperVLoopbackRules - - - - - A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - - - - - - - - - - - - - - - - - - Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - - - - RuleName - - - - - - - - ^[^|/]*$ - - - - SourceVMCreatorId + Name @@ -4903,12 +4837,12 @@ If not specified - a new rule is disabled by default. - This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. + Specifies the friendly name of the Hyper-V Firewall rule. - + @@ -4916,96 +4850,6 @@ If not specified - a new rule is disabled by default. - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - DestinationVMCreatorId - - - - - - - - This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - - - - - - - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - PortRanges - - - - - - - - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - - - - - - - - ^[0-9,-]+$ - - - - - - Enabled - - - - - - Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - - - - - - - - - 0 - Disabled - - - 1 - Enabled - - diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 79728405bf..e172fe94a5 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -445,7 +445,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of digits in PIN. | -| 1 | Requires the use of at least one digit in PIN. | +| 1 | Requires the use of at least one digits in PIN. | | 2 | Does not allow the use of digits in PIN. | @@ -583,7 +583,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of lowercase letters in PIN. | -| 1 | Requires the use of at least one lowercase letter in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | | 2 | Does not allow the use of lowercase letters in PIN. | @@ -706,7 +706,7 @@ Minimum PIN length configures the minimum number of characters required for the -Use this policy setting to configure the use of special character in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . +Use this policy setting to configure the use of special characters in the Windows Hello for Business PIN gesture. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; `< = >` ? @ [ \ ] ^ _ ` { | } ~ . A value of 1 corresponds to "Required." If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. @@ -791,7 +791,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of uppercase letters in PIN. | -| 1 | Requires the use of at least one uppercase letter in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | | 2 | Does not allow the use of uppercase letters in PIN. | @@ -2027,7 +2027,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of digits in PIN. | -| 1 | Requires the use of at least one digit in PIN. | +| 1 | Requires the use of at least one digits in PIN. | | 2 | Does not allow the use of digits in PIN. | @@ -2165,7 +2165,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of lowercase letters in PIN. | -| 1 | Requires the use of at least one lowercase letter in PIN. | +| 1 | Requires the use of at least one lowercase letters in PIN. | | 2 | Does not allow the use of lowercase letters in PIN. | @@ -2317,7 +2317,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of special characters in PIN. | -| 1 | Requires the use of at least one special character in PIN. | +| 1 | Requires the use of at least one special characters in PIN. | | 2 | Does not allow the use of special characters in PIN. | @@ -2373,7 +2373,7 @@ A value of 2 corresponds to "Disallow." If you configure this policy setting to | Value | Description | |:--|:--| | 0 (Default) | Allows the use of uppercase letters in PIN. | -| 1 | Requires the use of at least one uppercase letter in PIN. | +| 1 | Requires the use of at least one uppercase letters in PIN. | | 2 | Does not allow the use of uppercase letters in PIN. | diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index b5425cab46..1d5d233812 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -83,128 +83,6 @@ The following XML file contains the device description framework (DDF) for the P - - ProtectFolders - - - - - - - - - - - - - - - - - - - ProtectDocuments - - - - - - - - Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectDesktop - - - - - - - - Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectPictures - - - - - - - - Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - Status @@ -245,66 +123,6 @@ The following XML file contains the device description framework (DDF) for the P - - FolderProtectionStatus - - - - - This node reports folder protection status for a user. - - - - - - - - - - - - - - - 0 - Protection not started. - - - 1 - Protection is completed with no failures. - - - 2 - Protection in progress. - - - 3 - Protection failed. - - - - - - FoldersProtected - - - - - This node reports all folders (full path to each folder) that have been protected. - - - - - - - - - - - - - - diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 08332c2601..404381b85a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 6aba70d787..f9aa11914a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -340,9 +340,6 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [ClearTextPassword](policy-csp-devicelock.md) - [PasswordComplexity](policy-csp-devicelock.md) - [PasswordHistorySize](policy-csp-devicelock.md) -- [AccountLockoutThreshold](policy-csp-devicelock.md) -- [AccountLockoutDuration](policy-csp-devicelock.md) -- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md) - [AllowAdministratorLockout](policy-csp-devicelock.md) ## Display @@ -689,7 +686,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) - [DisableControlCenter](policy-csp-start.md) - [ForceStartSize](policy-csp-start.md) @@ -700,7 +697,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [SimplifyQuickSettings](policy-csp-start.md) - [DisableEditingQuickSettings](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) @@ -884,7 +881,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [DenyLogOnAsBatchJob](policy-csp-userrights.md) - [LogOnAsService](policy-csp-userrights.md) - [IncreaseProcessWorkingSet](policy-csp-userrights.md) -- [DenyServiceLogonRight](policy-csp-userrights.md) +- [DenyLogOnAsService](policy-csp-userrights.md) ## VirtualizationBasedTechnology @@ -897,7 +894,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [NotifyMalicious](policy-csp-webthreatdefense.md) - [NotifyPasswordReuse](policy-csp-webthreatdefense.md) - [NotifyUnsafeApp](policy-csp-webthreatdefense.md) -- [CaptureThreatWindow](policy-csp-webthreatdefense.md) +- [AutomaticDataCollection](policy-csp-webthreatdefense.md) ## Wifi diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 11a4bb0c2c..e45320b0b7 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -24,14 +24,15 @@ ms.date: 02/03/2023 - [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname) - [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) - [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) 13 +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) 13 +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) 13 +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) 13 +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) 13 +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) 13 +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) 13 - [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices) 12 - [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) 10 - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) 10 @@ -66,7 +67,6 @@ ms.date: 02/03/2023 - [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) 12 - [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) 12 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) 9 -- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#headtrackingmode) 9 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) 9 - [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) 12 @@ -74,14 +74,13 @@ ms.date: 02/03/2023 - [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) 12 - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) 9 -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9 -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9 -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9 -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9 -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9 -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9, 14 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9, 14 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9, 14 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9, 14 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9, 14 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9, 14 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#disableprivacyexperience) Insider - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps) - [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps) @@ -99,6 +98,9 @@ ms.date: 02/03/2023 - [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) 8 - [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) 8 - [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation) +- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 +- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 +- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 - [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone) - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) 8 @@ -115,10 +117,11 @@ ms.date: 02/03/2023 - [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#configstoragesensecloudcontentdehydrationthreshold) 12 - [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) 12 - [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) 12 -- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#allowlocation) - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) +- [System/ConfigureTelemetryOptInSettingsUx](/windows/client-management/mdm/policy-csp-system) 12 +- [System/DisableDeviceDelete](/windows/client-management/mdm/policy-csp-system) 12 - [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9 - [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9 - [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9 @@ -160,8 +163,15 @@ Footnotes: - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) - 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2) +- 13 - Refer to [Configuring Policy Settings for the New Microsoft Edge](/hololens/hololens-new-edge#configuring-policy-settings-for-the-new-microsoft-edge) +- 14 - Refer to [New Power Policies for Hololens 2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2) - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). ## Related topics [Policy CSP](policy-configuration-service-provider.md) + +[Full HoloLens CSP Details](/windows/client-management/mdm/configuration-service-provider-support) + + + diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index e17a1d7e53..4be961a69f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -257,6 +257,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac ## Start +- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites) - [StartLayout](policy-csp-start.md#startlayout) ## System diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1eba8fd662..1fc1424bc4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4,7 +4,7 @@ description: Learn more about the Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index fbc5c518ac..5c5b42532a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 0b01016c5f..19a5889d94 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 04/14/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -843,7 +843,7 @@ Volume: Low. -This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697). +This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697). diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 1f26de308e..8643e7282a 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/27/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1885,8 +1885,8 @@ Same as Disabled. - -This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. @@ -1939,8 +1939,8 @@ This policy setting allows you specify a list of file types that should be exclu - -This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. @@ -1993,8 +1993,11 @@ This policy setting allows you to disable scheduled and real-time scanning for f - -This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index b65b65b1e4..c86a89adff 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -347,7 +347,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 69a26fb46f..80e5d67f50 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -30,105 +30,44 @@ ms.topic: reference > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). - -## AccountLockoutDuration + +## AccountLockoutPolicy - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutDuration +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy ``` - + - + -Account lockout duration This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - +Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| -| Format | int | +| Format | chr (string) | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-99999]` | -| Default Value | 0 | - + - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout duration | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - + - + - - - -## AccountLockoutThreshold - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutThreshold -``` - - - - -Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-10]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout threshold | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - + ## AllowAdministratorLockout @@ -162,7 +101,7 @@ Allow Administrator account lockout This security setting determines whether the | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-1]` | -| Default Value | 0 | +| Default Value | 1 | @@ -1165,11 +1104,11 @@ Complexity requirements are enforced when passwords are changed or created. -Minimum password length -This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. +Enforce password history +This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Default: 24 on domain controllers. 0 on stand-alone servers. > [!NOTE] -> By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. +> By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age. @@ -1184,7 +1123,7 @@ This security setting determines the least number of characters that a password | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-24]` | -| Default Value | 7 | +| Default Value | 24 | @@ -1192,7 +1131,7 @@ This security setting determines the least number of characters that a password | Name | Value | |:--|:--| -| Name | Minimum password length | +| Name | Enforce password history | | Path | Windows Settings > Security Settings > Account Policies > Password Policy | @@ -1322,56 +1261,6 @@ If you enable this setting, users will no longer be able to modify slide show se - -## ResetAccountLockoutCounterAfter - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/ResetAccountLockoutCounterAfter -``` - - - - -Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[1-99999]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Reset account lockout counter after | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - - ## ScreenTimeoutWhileLocked diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 92fda2c42a..d8938e641c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1428,7 +1428,7 @@ This policy allows the user to go directly to an intranet site for a one-word en | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -2080,7 +2080,7 @@ This policy setting allows you to manage whether Internet Explorer checks for di | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -3403,7 +3403,7 @@ The Home page specified on the General tab of the Internet Options dialog box is | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -3599,7 +3599,7 @@ InPrivate Browsing prevents Internet Explorer from storing data about a user's b | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -4486,7 +4486,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | @@ -4552,7 +4552,7 @@ For more information, see | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -7968,7 +7968,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -13390,7 +13390,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -16537,7 +16537,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 870386a6e5..16587b8ce0 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -242,7 +242,6 @@ This policy setting controls hash or checksum algorithms used by the Kerberos cl - "Not Supported" disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. - If you disable or do not configure this policy, each algorithm will assume the "Default" state. -More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at< https://go.microsoft.com/fwlink/?linkid=2169037>. Events generated by this configuration: 205, 206, 207, 208. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 6f83800c56..ad926281b0 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -86,7 +86,7 @@ Steps to use this policy correctly: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -136,7 +136,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -188,7 +188,7 @@ For more information on the Launcher API, see [Launcher Class (Windows.System) - | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -335,7 +335,7 @@ This policy setting controls if pressing the brightness button changes the brigh | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -386,7 +386,7 @@ For more information, see [Moving platform mode on low dynamic motion moving pla | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -491,7 +491,7 @@ The following XML string is an example of the value for this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -687,7 +687,7 @@ This policy configures behavior of HUP to determine, which algorithm to use for | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -786,7 +786,7 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -856,7 +856,7 @@ The following example XML string shows the value to enable this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -907,7 +907,7 @@ This policy configures whether the device will take the user through the eye tra | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -957,7 +957,7 @@ It skips the training experience of interactions with the hummingbird and Start | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index f4fa8a6e6a..507250a860 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2930,7 +2930,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -2990,7 +2990,7 @@ This policy setting specifies whether Windows apps can access the human presence | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3040,7 +3040,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3090,7 +3090,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 19a927a634..040fb1fed2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1424,6 +1424,68 @@ To validate this policy, do the following steps: + +## HideRecommendedPersonalizedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + + + + +This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Personalized Website Recommendations shown. | +| 1 | Personalized Website Recommendations hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecommendedPersonalizedSites | +| Path | StartMenu > AT > StartMenu | + + + + + + + + ## HideRecommendedSection @@ -1493,68 +1555,6 @@ If you enable this policy setting, the Start Menu will no longer show the sectio - -## HideRecoPersonalizedSites - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | - - - -```User -./User/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - - - - -This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Personalized Website Recommendations shown. | -| 1 | Personalized Website Recommendations hidden. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | HideRecoPersonalizedSites | -| Path | StartMenu > AT > StartMenu | - - - - - - - - ## HideRestart diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md index c977508f6e..d57c186ddb 100644 --- a/windows/client-management/mdm/policy-csp-stickers.md +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -4,7 +4,7 @@ description: Learn more about the Stickers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -26,7 +26,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index babefd000e..96f488a077 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -4,7 +4,7 @@ description: Learn more about the TenantRestrictions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 4d0a66c573..7832fbfb73 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -4,7 +4,7 @@ description: Learn more about the TextInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -949,7 +949,7 @@ This Policy setting applies only to Microsoft Traditional Chinese IME. -This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. This policy corresponds to Show the touch keyboard when not in tablet mode and there's no keyboard attached in the Settings app. +This policy allows the IT admin to control whether the touch keyboard should show up on tapping an edit control. By default, when you tap a textbox, the touch keyboard automatically shows up when there's no keyboard attached. When this policy is enabled, the touch keyboard can be shown or suppressed regardless of the hardware keyboard availability. This policy corresponds to Show the touch keyboard setting in the Settings app. @@ -971,8 +971,9 @@ This policy allows the IT admin to enable the touch keyboard to automatically sh | Value | Description | |:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | +| 0 (Default) | Never. | +| 1 | When no keyboard attached. | +| 2 | Always. | diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 8bf785ab2e..a5d3afb700 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -826,12 +826,8 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you - -Enable this policy to specify when to receive Feature Updates. - -Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo - -Pause Updates | To prevent Feature Updates from being offered to the device, you can temporarily pause Feature Updates. This pause will remain in effect for 35 days from the specified start date or until the field is cleared. Note, Quality Updates will still be offered even if Feature Updates are paused. + +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -955,16 +951,8 @@ If you disable or do not configure this policy, Windows Update will not alter it - -Enable this policy to specify when to receive quality updates. - -You can defer receiving quality updates for up to 30 days. - -To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clear the start date field. - -To resume receiving Quality Updates which are paused, clear the start date field. - -If you disable or do not configure this policy, Windows Update will not alter its behavior. + +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -2143,9 +2131,9 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie | Value | Description | |:--|:--| -| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | -| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. | -| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. | +| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | +| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. | +| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. | | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | | 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. | | 5 | Turn off automatic updates. | @@ -3551,7 +3539,7 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie -This setting allows removal access to "Pause updates" feature. +This setting allows to remove access to "Pause updates" feature. Once enabled user access to pause updates is removed. @@ -4311,7 +4299,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4381,7 +4369,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4451,7 +4439,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4521,7 +4509,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 113eac5d6c..d901a34a02 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -980,6 +980,58 @@ This security setting determines which accounts are prevented from being able to + +## DenyLogOnAsService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLogOnAsService +``` + + + + +Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. + +> [!NOTE] +> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Deny log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + ## DenyRemoteDesktopServicesLogOn @@ -1029,58 +1081,6 @@ This user right determines which users and groups are prohibited from logging on - -## DenyServiceLogonRight - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/UserRights/DenyServiceLogonRight -``` - - - - -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. - -> [!NOTE] -> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | List (Delimiter: `0xF000`) | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Deny log on as a service | -| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | - - - - - - - - ## EnableDelegation diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index 3f32d7c225..d92837b542 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -25,63 +25,63 @@ ms.topic: reference > In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category. - -## CaptureThreatWindow + +## AutomaticDataCollection - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/CaptureThreatWindow +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection ``` - + - + -Configures Enhanced Phishing Protection notifications to allow to capture the suspicious window on client machines for further threat analysis. - +Automatically collect website or app content when additional analysis is needed to help identify security threats. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - +| Default Value | 0 | + - + **Allowed values**: | Value | Description | |:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | - +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | CaptureThreatWindow | +| Name | AutomaticDataCollection | | Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense | - + - + - + - + ## NotifyMalicious diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5eb3b2dd3e..e538a7928c 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -4,7 +4,7 @@ description: Learn more about the Wifi Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -228,6 +228,105 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. + +## AllowWFAQosManagementDSCPToUPMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementDSCPToUPMapping +``` + + + + +Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-Fi Alliance QOS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | DSCP to UP Mapping will be disabled. | +| 1 | DSCP to UP Mapping will be enabled. | +| 2 (Default) | DSCP to UP Mapping will be enabled only if it is enabled in the network profile. | + + + + + + + + + +## AllowWFAQosManagementMSCS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementMSCS +``` + + + + +Allow or disallow the device to automatically request to enable Mirrored Stream Classification Service when connecting to a MSCS capable network. This is a Quality of Service feature associated with Wi-Fi Alliance QoS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device will not automatically request to enable MSCS when connecting to a MSCS capable network. | +| 1 (Default) | The device will automatically request to enable MSCS when connecting to a MSCS capable network. | + + + + + + + + ## AllowWiFi @@ -245,7 +344,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. -This policy has been deprecated. +Allow or disallow WiFi connection. diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 04eabb0246..32c31c0461 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Reboot CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -194,7 +194,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 98866efffa..7771d079d3 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -170,6 +170,10 @@ The following XML file contains the device description framework (DDF) for the R + + 10.0.22621 + 1.0 + diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 7594de5981..ddfda20a6b 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -4,7 +4,7 @@ description: Learn more about the SUPL CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # SUPL CSP + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -395,6 +396,7 @@ This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether t + | Location toggle setting | LocMasterSwitchDependencyNII setting | NI request processing allowed | |-------------------------|--------------------------------------|------------------------------------| | On | 0 | Yes | diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 16e2b4acd8..5437172618 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -50,102 +50,6 @@ The following XML file contains the device description framework (DDF) for the S 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; - - AutopilotSelfdeploy - - - - - Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time. - - - - - - - - - - - - - - - - - - UserPrincipalName - - - - - - User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - - Password - - - - - - Password for the device account. Get is allowed here, but will always return a blank. - - - - - - - - - - - - - - - - - - FriendlyName - - - - - - The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - DeviceAccount diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ce9204701c..84b7a6c4ec 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2838,7 +2838,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2876,7 +2876,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2915,7 +2915,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2953,7 +2953,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -3003,7 +3003,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7063,7 +7063,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7101,7 +7101,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7140,7 +7140,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7178,7 +7178,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7228,7 +7228,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7893,7 +7893,7 @@ Boolean value (true or false) for caching credentials. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.19628] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.19628] and later | diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index da4d51d70b..8c55c2fd8e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -28,12 +28,10 @@ The following list shows the WindowsLicensing configuration service provider nod - [ChangeProductKey](#changeproductkey) - [CheckApplicability](#checkapplicability) - [DeviceLicensingService](#devicelicensingservice) - - [AcquireDeviceLicense](#devicelicensingserviceacquiredevicelicense) - [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror) - [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription) - [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus) - [LicenseType](#devicelicensingservicelicensetype) - - [RemoveDeviceLicense](#devicelicensingserviceremovedevicelicense) - [Edition](#edition) - [LicenseKeyType](#licensekeytype) - [SMode](#smode) @@ -45,6 +43,12 @@ The following list shows the WindowsLicensing configuration service provider nod - [{SubscriptionId}](#subscriptionssubscriptionid) - [Name](#subscriptionssubscriptionidname) - [Status](#subscriptionssubscriptionidstatus) + - [DisableSubscription](#subscriptionsdisablesubscription) + - [RemoveSubscription](#subscriptionsremovesubscription) + - [SubscriptionLastError](#subscriptionssubscriptionlasterror) + - [SubscriptionLastErrorDescription](#subscriptionssubscriptionlasterrordescription) + - [SubscriptionStatus](#subscriptionssubscriptionstatus) + - [SubscriptionType](#subscriptionssubscriptiontype) - [UpgradeEditionWithLicense](#upgradeeditionwithlicense) - [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) @@ -167,7 +171,8 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - + +Device Based Subscription. @@ -189,45 +194,6 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - -### DeviceLicensingService/AcquireDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/AcquireDeviceLicense -``` - - - - -Acquire and Refresh Device License. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ### DeviceLicensingService/DeviceLicensingLastError @@ -375,7 +341,7 @@ License Type: User Based Subscription or Device Based Subscription. | Property name | Property value | |:--|:--| | Format | int | -| Access Type | Add, Delete, Get, Replace | +| Access Type | Get, Replace | @@ -393,45 +359,6 @@ License Type: User Based Subscription or Device Based Subscription. - -### DeviceLicensingService/RemoveDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/RemoveDeviceLicense -``` - - - - -Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ## Edition @@ -1064,6 +991,258 @@ Returns the status of the subscription. + +### Subscriptions/DisableSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/DisableSubscription +``` + + + + +Disable or Enable subscription activation on a device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enable Subscription. | +| 1 | Disable Subscription. It also removes any existing subscription on the device. | + + + + + + + + + +### Subscriptions/RemoveSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/RemoveSubscription +``` + + + + +Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +### Subscriptions/SubscriptionLastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastError +``` + + + + +Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionLastErrorDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastErrorDescription +``` + + + + +Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionStatus +``` + + + + +Status of last subscription operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionType +``` + + + + +Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | User Based Subscription. | +| 1 | Device Based Subscription. | + + + + + + + + ## UpgradeEditionWithLicense diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index ad27537130..b5e14bb5ec 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -322,6 +322,153 @@ The following XML file contains the device description framework (DDF) for the W + + SubscriptionType + + + + + + Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + + + + + + + + + 0 + User Based Subscription + + + 1 + Device Based Subscription + + + + + + SubscriptionStatus + + + + + Status of last subscription operation. + + + + + + + + + + + + + + + + SubscriptionLastError + + + + + Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + + + + + + + + + + SubscriptionLastErrorDescription + + + + + Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + + + + + + + + + + DisableSubscription + + + + + Disable or Enable subscription activation on a device + + + + + + + + + + + + + + + 0 + Enable Subscription + + + 1 + Disable Subscription. It also removes any existing subscription on the device. + + + + + + RemoveSubscription + + + + + Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + + + + + + + + SMode @@ -439,7 +586,7 @@ The following XML file contains the device description framework (DDF) for the W - Insert Description Here + Device Based Subscription @@ -461,8 +608,6 @@ The following XML file contains the device description framework (DDF) for the W LicenseType - - @@ -554,48 +699,6 @@ The following XML file contains the device description framework (DDF) for the W - - AcquireDeviceLicense - - - - - Acquire and Refresh Device License. Does not reboot. - - - - - - - - - - - - - - - - RemoveDeviceLicense - - - - - Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - - - - - - - - diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 00a55c6d95..e766825729 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -158,13 +158,14 @@ echo result: %ERRORLEVEL% >> %LOGFILE% ### Calling multiple scripts in the package -Your provisioning package can include multiple CommandLines. +Your provisioning package can include multiple **CommandFiles**. -You are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. +You are allowed one **CommandLine** per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the **CommandLine** specified in the package. Here’s a table describing this relationship, using the PowerShell example from above: + |ICD Setting | Value | Description | | --- | --- | --- | | ProvisioningCommands/DeviceContext/CommandLine | cmd /c PowerShell_Example.bat | The command line needed to invoke the orchestrator script. | @@ -194,6 +195,7 @@ In Windows Configuration Designer, that is done by adding files under the `Provi When you are done, [build the package](provisioning-create-package.md#build-package). + ### Remarks 1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience: @@ -217,7 +219,6 @@ When you are done, [build the package](provisioning-create-package.md#build-pack >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. 7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed - ## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) @@ -230,3 +231,5 @@ When you are done, [build the package](provisioning-create-package.md#build-pack - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index c73105ae1b..5504be6122 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -1,7 +1,7 @@ --- title: How to check Windows release health description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption. -ms.date: 08/16/2022 +ms.date: 05/03/2023 ms.author: mstewart author: mestew manager: aaroncz @@ -13,7 +13,7 @@ ms.technology: itpro-updates # How to check Windows release health -The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization. +The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that impacts Windows devices and that has been identified in a Windows monthly update or feature update. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization. If you're unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from signing into your tenant. @@ -21,7 +21,7 @@ To be informed about the latest updates and releases, follow [@WindowsUpdate](ht ## How to review Windows release health information -1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), and sign in with an administrator account. +1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with an administrator account. > [!NOTE] > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles). @@ -54,6 +54,21 @@ To be informed about the latest updates and releases, follow [@WindowsUpdate](ht ![A screenshot showing issue details.](images/WRH-known-issue-detail.png) +## Sign up for email notifications + +You have the option to sign up for email notifications about Windows known issues and informational updates. Notifications include changes in issue status, new workarounds, and issue resolutions. To subscribe to notifications: + +1. Go to the [Windows release health page](https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth). +1. Select **Preferences** > **Email**, then select **Send me email notifications about Windows release health**. +1. Specify the following information: + - Email address for the notifications + - Each admin account can specify up to two email addresses under their email preferences + - Windows versions to be notified about +1. Select **Save** when you're finished specifying email addresses and Windows versions. It may take up to 8 hours for these changes to take effect. + +> [!Note] +> When a single known issue affects multiple versions of Windows, you'll receive only one email notification, even if you've selected notifications for multiple versions. Duplicate emails won't be sent. + ## Status definitions In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows: diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 580d459ff8..9c2455ffd2 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -92,7 +92,7 @@ There are several calculated values that appear on the Delivery Optimization rep In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: ```powershell -$text = "" ; +$text = "`0"; (the null-terminator (`0) must be included in the string hash) $hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" ``` diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index a48c8331a6..f511e6481b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides an overview on how to register devices in Autopatch -ms.date: 05/01/2023 +ms.date: 05/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -141,6 +141,9 @@ If your Autopatch groups have more than five deployment rings, and you must move If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab. +> [!IMPORTANT] +> You can only move devices in between deployment rings within the **same** Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. + **To move devices in between deployment rings:** > [!NOTE] @@ -150,7 +153,7 @@ If you want to move devices to different deployment rings (either service or sof 1. In the **Windows Autopatch** section, select **Devices**. 1. In the **Registered** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 1. Select **Device actions** from the menu. -1. Select **Assign device group**. A fly-in opens. +1. Select **Assign ring**. A fly-in opens. 1. Use the dropdown menu to select the deployment ring to move devices to, and then select Save. The Ring assigned by column will change to Pending. 1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 85e9177b85..71ba52fc37 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 05/01/2023 +ms.date: 05/05/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -26,6 +26,16 @@ Autopatch groups is a logical container or unit that groups several [Azure AD gr Before you start managing Autopatch groups, ensure you’ve met the following prerequisites: - Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) to understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits), [concepts](../deploy/windows-autopatch-groups-overview.md#key-concepts) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization. +- Ensure the following [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) are created in your tenant: + - Modern Workplace Update Policy [Test]-[Windows Autopatch] + - Modern Workplace Update Policy [First]-[Windows Autopatch] + - Modern Workplace Update Policy [Fast]-[Windows Autopatch] + - Modern Workplace Update Policy [Broad]-[Windows Autopatch] +- Ensure the following [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) are created in your tenant: + - Windows Autopatch – DSS Policy [Test] + - Windows Autopatch – DSS Policy [First] + - Windows Autopatch – DSS Policy [Fast] + - Windows Autopatch – DSS Policy [Broad] - Ensure the following Azure AD assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Azure AD group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly. - Modern Workplace Devices-Windows Autopatch-Test - Modern Workplace Devices-Windows Autopatch-First @@ -36,8 +46,8 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Windows Autopatch – Ring2 - Windows Autopatch – Ring3 - Windows Autopatch – Last -- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. - - For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership. +- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups. + - For more information, see [assign an owner or member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Azure AD groups. - Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: - Read device attributes to successfully register devices. - Manage all configurations related to the operation of the service. @@ -45,6 +55,9 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**. - Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly. +> [!TIP] +> [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../operate/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies). + > [!NOTE] > During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more prerequisites are failing. Once you remediate the issue to meet the prerequisites, it can take up to an hour for your tenant to have the "Use preview" button available. @@ -110,7 +123,11 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu > [!CAUTION] > You can’t delete a Custom Autopatch group when it’s being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. -## Manage device conflict scenarios when Autopatch groups +## Manage device conflict scenarios when using Autopatch groups + +> [!IMPORTANT] +> The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. +> For more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. @@ -157,4 +174,48 @@ When you create or edit the Custom or Default Autopatch group, Windows Autopatch #### Device conflict post device registration -Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](#manage-device-conflict-scenarios-when-autopatch-groups) section even after devices were successfully registered with the service. +Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service. + +## Known issues + +This section lists known issues with Autopatch groups during its public preview. + +### Device conflict scenarios when using Autopatch groups + +- **Status: Active** + +The Windows Autopatch team is aware that all device conflict scenarios listed below are currently being evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post-device registration. The Windows Autopatch team is currently developing detection and resolution for the followin device conflict scenarios, and plan to make them available during public preview. + +- Default to Custom Autopatch device conflict detection and resolution. +- Device conflict detection and resolution within an Autopatch group. +- Custom to Custom Autopatch group device conflict detection. + +> [!TIP] +> Use the following two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: +> +> - Review your software update deployment requirements thoroughly. If your deployment requirements allow, try using the Default Autopatch group as much as possible, instead of start creating Custom Autopatch groups. You can customize the Default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. +> - If creating Custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with Windows Autopatch, and already belong to the Default Autopatch group. + +### Autopatch group Azure AD group remediator + +- **Status: Active** + +The Windows Autopatch team is aware that the Windows Autopatch service isn't automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. If the following Azure AD groups, that belong to the Default Autopatch group and other Azure AD groups that get created with Custom Autopatch groups, are deleted or renamed, they won't be automatically remediated on your behalf yet: + +- Windows Autopatch – Test +- Windows Autopatch – Ring1 +- Windows Autopatch – Ring2 +- Windows Autopatch – Ring3 +- Windows Autopatch – Last + +The Windows Autopatch team is currently developing the Autopatch group Azure AD group remediator feature and plan to make it available during public preview. + +> [!NOTE] +> The Autopatch group remediator won't remediate the service-based deployment rings: +> +> - Modern Workplace Devices-Windows Autopatch-Test +> - Modern Workplace Devices-Windows Autopatch-First +> - Modern Workplace Devices-Windows Autopatch-Fast +> - Modern Workplace Devices-Windows Autopatch-Broad +> +> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups). diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index b87fdbe930..730fc16ec4 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -1,7 +1,7 @@ --- title: Windows Autopatch groups overview description: This article explains what Autopatch groups are -ms.date: 05/01/2023 +ms.date: 05/03/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -247,4 +247,7 @@ Autopatch groups works with the following software update workloads: Windows Autopatch will support up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings. +> [!TIP] +> If you reach the maximum number of Autopatch groups supported (50), and try to create more Custom Autopatch groups, the "**Create**" option in the Autopatch groups blade will be greyed out. + To manage your Autopatch groups, see [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md index 789a3b23e3..fe0551604d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -58,12 +58,12 @@ Alert resolutions are provided through the Windows Update service and provide th | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.

Check that the MSA Service is running or able to run on device.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

For more information, see [Free up space for Windows Updates](/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65#:~:text=Here%E2%80%99s%20how%20to%20get%20more%20storage%20space%20on,to%20Windows%20needs%20space%20to%20update.%20More%20items).

| +| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).

| | `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).

| | `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service (BITS) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/security-updates/WindowsUpdateServices/18127392).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).

If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.

Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.

For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | | `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| | `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

| diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md index 5552fe0c6d..fab7bbabbc 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -1,7 +1,7 @@ --- title: Manage Windows feature update releases description: This article explains how you can manage Windows feature updates with Autopatch groups -ms.date: 05/01/2023 +ms.date: 05/05/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md index 6e84d0f62b..b49b0c5ba4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates overview with Autopatch groups description: This article explains how Windows feature updates are managed with Autopatch groups -ms.date: 05/01/2023 +ms.date: 05/03/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -39,6 +39,15 @@ Windows Autopatch’s device eligibility criteria for Windows feature updates al ## Key benefits +- Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. +- You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. + - Combined with custom releases, Autopatch Groups gives your organization great control and flexibility to help you plan your gradual rollout in a way that works for your organization. +- Simplified end-user experience with rich controls for gradual rollouts, deployment cadence and speed. +- No need to manually modify the default Windows feature update policies (default release) to be on the Windows OS version your organization is currently ready for. +- Allows for scenarios where you can deploy a single release across several Autopatch groups and its deployment rings. + +## Key concepts + - A release is made of one or more deployment phases and contains the required OS version to be gradually rolled out throughout its deployment phases. - A phase (deployment phase) is made of one or more Autopatch group deployment rings. A phase: - Works as an additional layer of deployment cadence settings that can be defined by IT admins (only for Windows feature updates) on top of Autopatch group deployment rings (Windows update rings policies). @@ -71,12 +80,12 @@ If the device is registered with Windows Autopatch, and the device is: If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): -| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | -| ----- | ----- | ----- | ----- | ----- | ----- | ----- | -| Windows Autopatch – DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 10, 2024 | -| Windows Autopatch – DSS Policy [Ring1] | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 10, 2024 | -| Windows Autopatch – DSS Policy [Ring2] | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 10, 2024 | -| Windows Autopatch – DSS Policy [Ring3] | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 10, 2024 | +| Policy name | Phase mapping | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 10, 2024 | > [!NOTE] > Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md index 803ffa0560..8e4b4794f4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -50,7 +50,7 @@ The minimum role required to restore configurations is **Intune Service Administ **To initiate remediation action for device configuration alerts:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Tenant administration** > **Tenant management** > **Alerts**. +1. Navigate to **Tenant administration** > **Tenant management** > **Actions**. 1. Select **Restore missing policy** to launch the workflow. 1. Review the message and select **Restore policy**. 1. If the **Change modified policy alert** appears, select this alert to launch the workflow. @@ -83,7 +83,7 @@ There will be an alert for each policy that is missing or has deviated from the **To initiate remediation action for missing groups:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Tenant administration** > **Tenant management** > **Alerts**. +1. Navigate to **Tenant administration** > **Tenant management** > **Actions**. 1. Select **Restore missing group** to launch the workflow. 1. Review the message and select **Restore group**. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index 10b2232d41..95b3391bd5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 02/17/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -85,7 +85,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym > You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). > [!IMPORTANT] -> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

**To pause or resume a Windows feature update:** diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index 943537d1bc..f12b686427 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 04/24/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -86,6 +86,9 @@ When running an expedited release, the regular goal of 95% of devices in 21 days | Standard release | Test

First

Fast

Broad | 0

1

6

9 | 0

2

2

5 | 0

2

2

2 | | Expedited release | All devices | 0 | 1 | 1 | +> [!IMPORTANT] +> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates). + #### Turn off service-driven expedited quality update releases Windows Autopatch provides the option to turn off of service-driven expedited quality updates. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md index 9f3d420192..50453deea1 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md @@ -1,7 +1,7 @@ --- title: Customize Windows Update settings description: This article explains how to customize Windows Updates in Windows Autopatch -ms.date: 03/08/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -30,6 +30,9 @@ For each tenant, at the deployment ring level, there are two cadence types to co - [Deadline-driven](#deadline-driven) - [Scheduled install](#scheduled-install) +> [!NOTE] +> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update). + #### Deadline-driven With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. @@ -92,6 +95,9 @@ For more information, see [Windows Update settings you can manage with Intune up ## Customize the Windows Update deployment cadence +> [!IMPORTANT] +> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

+ **To customize the Windows Update deployment cadence:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 0b990ea9b6..7eaead607a 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: windows-client ms.topic: faq - ms.date: 02/28/2023 + ms.date: 05/04/2023 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -77,6 +77,9 @@ sections: - question: Can you change the policies and configurations created by Windows Autopatch? answer: | No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant). + - question: How can I represent our organizational structure with our own deployment cadence? + answer: | + [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md) helps you manage updates in a way that makes sense for your businesses. For more information, see [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) and [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md). - name: Update management questions: - question: What systems does Windows Autopatch update? diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 63adeb04ea..d71b135f49 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -39,7 +39,7 @@ href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md - name: TPM recommendations href: information-protection/tpm/tpm-recommendations.md - + - name: Hardware-based root of trust href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md - name: System Guard Secure Launch and SMM protection @@ -321,6 +321,8 @@ items: - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md + - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings + href: threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-available-settings.md - name: Configure S/MIME for Windows href: identity-protection\configure-s-mime.md - name: Windows Credential Theft Mitigation Guide Abstract diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index c4e5d43423..cf9c8484b0 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -29,6 +29,9 @@ The policy setting has three components: ## Configure unlock factors +> [!CAUTION] +> On Windows 11, when the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock. + The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. Supported credential providers include: @@ -40,8 +43,8 @@ Supported credential providers include: |Facial Recognition| `{8AF662BF-65A0-4D0A-A540-A338A999D36F}`| |Trusted Signal
(Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`| ->[!NOTE] ->Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. +> [!NOTE] +> Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. The default credential providers for the **First unlock factor credential provider** include: diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 98746150c6..ea8fbab15b 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -179,8 +179,7 @@ The most common values: | 28 | Enc-tkt-in-skey | No information. | | 29 | Unused | - | | 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | -| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | -| ## Table 4. Kerberos encryption types | | | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | - **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. @@ -252,7 +251,7 @@ The table below contains the list of the most common error codes for this event: | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | -| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes hanven't propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes haven't propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | | 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | | 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. | | 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 8723d513d2..3c1ed6dcea 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -1,59 +1,57 @@ --- -title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows) +title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. ms.prod: windows-client -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/28/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security ms.topic: reference +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings -**Applies to:** - -- Windows 10 -- Windows 11 Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. -See [Windows 10 (and Windows 11) settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. - +See [Windows 10 and Windows 11 settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. ## Group Policy settings + SmartScreen uses registry-based Administrative Template policy settings. Setting|Supported on|Description| |--- |--- |--- | |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

**At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen.

If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.| -|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.

**Important:** Using a trustworthy browser helps ensure that these protections work as expected.| +|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

This setting doesn't protect against malicious content from USB devices, network shares, or other non-internet sources.

**Important:** Using a trustworthy browser helps ensure that these protections work as expected.| |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen.

If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.| |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.| |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.| -|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.

If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.| +|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.

If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that aren't on the filter's allowlist are sent automatically to Microsoft without prompting the employee.

If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.| |Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.

If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| -|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| - +|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that aren't commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users don't commonly download from the Internet.

If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| ## MDM settings -If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support desktop computers running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune.

+ +If you manage your policies using Microsoft Intune, use these MDM policy settings. All settings support desktop computers running Windows 10/11 Pro or Windows 10/11 Enterprise, enrolled with Microsoft Intune. + For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser). |Setting|Supported versions|Details| |--- |--- |--- | -|AllowSmartScreen|Windows 10|
  • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
  • **Data type.** Integer**Allowed values:**
    • **0 .** Turns off Microsoft Defender SmartScreen in Edge.
    • **1.** Turns on Microsoft Defender SmartScreen in Edge.| -|EnableAppInstallControl|Windows 10, version 1703|
    • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
    • **Data type.** Integer**Allowed values:**
      • **0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
      • **1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.| -|EnableSmartScreenInShell|Windows 10, version 1703|
      • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
      • **Data type.** Integer**Allowed values:**
        • **0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
        • **1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.| -|PreventOverrideForFilesInShell|Windows 10, version 1703|
        • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
        • **Data type.** Integer**Allowed values:**
          • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
          • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.| -|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|
          • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
          • **Data type.** Integer**Allowed values:**
            • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings.
            • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings.| -|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|
            • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
            • **Data type.** Integer**Allowed values:**
              • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.
              • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.| +|AllowSmartScreen|Windows 10|
              • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
              • **Data type.** Integer
              • **Allowed values:**
                • **0 .** Turns off Microsoft Defender SmartScreen in Microsoft Edge.
                • **1.** Turns on Microsoft Defender SmartScreen in Microsoft Edge.| +|EnableAppInstallControl|Windows 10, version 1703|
                • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
                • **Data type.** Integer
                • **Allowed values:**
                  • **0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
                  • **1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.| +|EnableSmartScreenInShell|Windows 10, version 1703|
                  • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
                  • **Data type.** Integer
                  • **Allowed values:**
                    • **0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
                    • **1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.| +|PreventOverrideForFilesInShell|Windows 10, version 1703|
                    • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
                    • **Data type.** Integer
                    • **Allowed values:**
                      • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
                      • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.| +|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|
                      • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
                      • **Data type.** Integer
                      • **Allowed values:**
                        • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings.
                        • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings.| +|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|
                        • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
                        • **Data type.** Integer
                        • **Allowed values:**
                          • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.
                          • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.| ## Recommended Group Policy and MDM settings for your organization + By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. @@ -73,10 +71,6 @@ To better help you protect your organization, we recommend turning on and using |SmartScreen/EnableSmartScreenInShell|**1.** Turns on Microsoft Defender SmartScreen in Windows.

                            Requires at least Windows 10, version 1703.| |SmartScreen/PreventOverrideForFilesInShell|**1.** Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                            Requires at least Windows 10, version 1703.| -## Related topics - -- [Threat protection](../index.md) - -- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) +## Related articles - [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index dbb586c517..e7f02d821d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -14,34 +14,32 @@ ms.collection: - highpri ms.date: 03/20/2023 ms.topic: article +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Microsoft Edge --- # Microsoft Defender SmartScreen -**Applies to:** - -- Windows 10 -- Windows 11 -- Microsoft Edge - Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. **Microsoft Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. +- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it shows a warning page to advise caution. - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. **Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** - Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. -- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution. +- Checking downloaded files against a list of files that are well known and downloaded frequently. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution. ## Benefits of Microsoft Defender SmartScreen Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/). -- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user. +- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user. - **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run. - **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. - **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). @@ -58,32 +56,6 @@ When submitting a file for Microsoft Defender SmartScreen, make sure to select * ![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png) -## Viewing Microsoft Defender SmartScreen anti-phishing events - -> [!NOTE] -> No SmartScreen events are logged when using Microsoft Edge version 77 or later. - -When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)). - -## Viewing Windows event logs for Microsoft Defender SmartScreen - -Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer. - -Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: - -```console -wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true -``` - -> [!NOTE] -> For information on how to use the Event Viewer, see [Windows Event Viewer](/host-integration-server/core/windows-event-viewer1). - -| EventID | Description | -|---|---| -| 1000 | Application Windows Defender SmartScreen Event | -| 1001 | Uri Windows Defender SmartScreen Event | -| 1002 | User Decision Windows Defender SmartScreen Event | - ## Related articles - [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md index 8597ee9893..aa2ffc3b9d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md @@ -10,21 +10,19 @@ manager: aaroncz ms.localizationpriority: medium ms.date: 10/07/2022 adobe-target: true -appliesto: - - ✅ Windows 11, version 22H2 +appliesto: +- ✅ Windows 11, version 22H2 ms.topic: conceptual --- -# Enhanced Phishing Protection in Microsoft Defender SmartScreen +# Enhanced Phishing Protection in Microsoft Defender SmartScreen Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. -Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways: - -- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account. +Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in these ways: +- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also prompts them to change their password so attackers can't gain access to their account. - Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password. - - Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file. ## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen @@ -35,13 +33,13 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc - **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them. -- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment. +- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you can see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment. -- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled. +- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled. ## Configure Enhanced Phishing Protection for your organization -Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow the instructions below to configure your devices using either Microsoft Intune, GPO or CSP. +Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP. #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) @@ -50,10 +48,9 @@ To configure devices using Microsoft Intune, create a [**Settings catalog** poli |Setting|Description| |---------|---------| |Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
                          • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
                          • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
                            • | -|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.| -|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.| -|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| - +|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| +|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| +|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| Assign the policy to a security group that contains as members the devices or users that you want to configure. @@ -64,9 +61,9 @@ Enhanced Phishing Protection can be configured using the following Administrativ |Setting|Description| |---------|---------| |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
                          • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
                          • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
                            • | -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) @@ -83,7 +80,7 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][ ### Recommended settings for your organization -By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios. +By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. @@ -106,7 +103,7 @@ To better help you protect your organization, we recommend turning on and using |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.| #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) - + |MDM setting|Recommendation| |---------|---------| |ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| @@ -118,10 +115,8 @@ To better help you protect your organization, we recommend turning on and using ## Related articles -- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md) - [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) -- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md) - [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference) ------------