**Example**
<emie>
<domain exclude="false">fabrikam.com
<path exclude="true">/products</path>
</domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|<docMode>|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
**Example**
<docMode>
<domain exclude="false">fabrikam.com
<path docMode="7">/products</path>
</domain>
</docMode>|Internet Explorer 11| ### Using Enterprise Mode and document mode together If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md index 70694a3df2..fcdaa18eee 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md @@ -92,194 +92,32 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l ### Updated schema elements This table includes the elements used by the v.2 version of the Enterprise Mode schema. -
| Element | -Description | -Supported browser | -
|---|---|---|
| <site-list> | -A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
- Example - -<site-list version="205"> - <site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> - </site> -</site-list> |
-Internet Explorer 11 and Microsoft Edge | -
| <site> | -A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
- Example - -<site url="contoso.com"> - <compat-mode>default</compat-mode> - <open-in>none</open-in> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -You can also use the self-closing version, <url="contoso.com" />, which also sets: -
|
-Internet Explorer 11 and Microsoft Edge | -
| <compat-mode> | -A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
- Example - -<site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -Where: -
- - - |
-Internet Explorer 11 | -
| <open-in> | -A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
- Example - -<site url="contoso.com"> - <open-in>none</open-in> -</site> -Where: -
- - |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site-list version="205">| Internet Explorer 11 and Microsoft Edge | +|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
**Example**
<site url="contoso.com">
<compat-mode>default</compat-mode>
<open-in>none</open-in>
</site>
**or** For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
You can also use the self-closing version, <url="contoso.com" />, which also sets:
- <compat-mode>default</compat-mode>
- <open-in>none</open-in> | Internet Explorer 11 and Microsoft Edge | +|<compat-mode> |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
**Example**
**or**
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
</site>
For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
Where
- **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode. - **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode**Important**
This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema. - **IE[x]**. Where [x] is the document mode number into which the site loads.
- **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored. |Internet Explorer 11 | +|<open-in> |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
**Examples**
<site url="contoso.com">
<open-in>none</open-in>
</site>
Where
- IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
- MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- None or not specified. Opens in whatever browser the employee chooses. | Internet Explorer 11 and Microsoft Edge | ### Updated schema attributes The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema. -
- <compat-mode>default</compat-mode> -
- <open-in>none</open-in> -
- IE8Enterprise. Loads the site in IE8 Enterprise Mode.
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode. - IE7Enterprise. Loads the site in IE7 Enterprise Mode.
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.Important
This tag replaces the combination of the"forceCompatView"="true"attribute and the list of sites specified in the EmIE section of the v.1 version of the schema. - IE[x]. Where [x] is the document mode number into which the site loads.
- Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored. -
- IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
- MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- None or not specified. Opens in whatever browser the employee chooses. -
- <compat-mode>default</compat-mode>
- <open-in>none</open-in> | Internet Explorer 11 and Microsoft Edge | +|<compat-mode> |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
- **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode. - **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode**Important**
This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema. - **IE[x]**. Where [x] is the document mode number into which the site loads.
- **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored. |Internet Explorer 11 | +|<open-in> |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
- IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
- MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- None or not specified. Opens in whatever browser the employee chooses. | Internet Explorer 11 and Microsoft Edge | ### Updated schema attributes The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema. -
- | Internet Explorer 11 and Microsoft Edge|
+|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
**Note**
Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com).
**Example**<site url="contoso.com:8080">
In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge| ### Deprecated attributes These v.1 version schema attributes have been deprecated in the v.2 version of the schema: -
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>- -
+|Deprecated attribute|New attribute|Replacement example| +|--- |--- |--- | +|forceCompatView|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>| +|docMode|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>| +|doNotTransition|<open-in>|Replace:- - - -Deprecated element/attribute -New element -Replacement example -- -forceCompatView -<compat-mode> -Replace forceCompatView="true" with <compat-mode>IE7Enterprise</compat-mode> -- -docMode -<compat-mode> -Replace docMode="IE5" with <compat-mode>IE5</compat-mode> -- -doNotTransition -<open-in> -Replace doNotTransition="true" with <open-in>none</open-in> -- -<domain> and <path> -<site> -Replace: - --<emie> - <domain>contoso.com</domain> -</emie>
-With: --<site url="contoso.com"/> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>
--AND--Replace: -
-<emie> - <domain exclude="true" doNotTransition="true"> - contoso.com - <path forceCompatView="true">/about</path> - </domain> -</emie>
-With: --<site url="contoso.com/about"> - <compat-mode>IE7Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>
<doNotTransition="true"> with <open-in>none</open-in>| +|<domain> and <path>|<site>|Replace:<emie>
With:
<domain>contoso.com</domain>
</emie><site url="contoso.com"/>
**-AND-**
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
Replace:<emie>
<domain exclude="true" donotTransition="true">contoso.com
<path forceCompatView="true">/about</path>
</domain>
</emie>
With:<site url="contoso.com/about">
<compat-mode>IE7Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>| While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features. diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 2fb2324ddc..66569c4674 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -126,96 +126,23 @@ Table 2 lists the settings in the Device Management node in the Google Admin Con Table 2. Settings in the Device Management node in the Google Admin Console --
- - +|Section |Settings | +|---------|---------| +|Network |- - -- - - - - -Section -Settings -- -Network -These settings configure the network connections for Chromebook devices and include the following settings categories:
--
-
Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
-Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
-VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
-Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
-
- -Mobile -These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
--
-
Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
-Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
-Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
-Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
-Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.
-
- - -Chrome management -These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
--
-
User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
-Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
-Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
-Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.
-App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.
-
These settings configure the network connections for Chromebook devices and include the following settings categories:
- **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
- **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
- **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
- **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network. |
+|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
- **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
- **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
- **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
- **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
- **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. |
+|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
- **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
- **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
- **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
- **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices
- **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. |
Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
Table 3. Settings in the Security node in the Google Admin Console
-
-
- - +|Section|Settings| +|--- |--- | +|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.- - -- - - - - -Section -Settings -- -Basic settings
These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
-Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.
- -Password monitoring
This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.
- -API reference
This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.
- -Set up single sign-on (SSO)
This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.
- - -Advanced settings
This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.
Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.| +|Password monitoring|This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.| +|API reference|This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.| +|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.| +|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.| **Identify locally-configured settings to migrate** @@ -428,62 +355,14 @@ Table 5 is a decision matrix that helps you decide if you can use only on-premis Table 5. Select on-premises AD DS, Azure AD, or hybrid --
- - +|If you plan to...|On-premises AD DS|Azure AD|Hybrid| +|--- |--- |--- |--- | +|Use Office 365||✔️|✔️| +|Use Intune for management||✔️|✔️| +|Use Microsoft Endpoint Manager for management|✔️||✔️| +|Use Group Policy for management|✔️||✔️| +|Have devices that are domain-joined|✔️||✔️| +|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️| ### @@ -497,113 +376,17 @@ Table 6 is a decision matrix that lists the device, user, and app management pro Table 6. Device, user, and app management products and technologies -- - -- - - - - - - -If you plan to... -On-premises AD DS -Azure AD -Hybrid -- -Use Office 365 -- X -X -- -Use Intune for management -- X -X -- -Use Microsoft Endpoint Manager for management -X -- X -- -Use Group Policy for management -X -- X -- -Have devices that are domain-joined -X -- X -- - -Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined -- X -X --
- - +|Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services| +|--- |--- |--- |--- |--- |--- |--- | +|Deploy operating system images|✔️||✔️||✔️|| +|Deploy apps during operating system deployment|✔️||✔️||✔️|| +|Deploy apps after operating system deployment|✔️|✔️|✔️|||| +|Deploy software updates during operating system deployment|||✔️||✔️|| +|Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️| +|Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️|| +|Support devices that are not domain-joined|✔️|||✔️|✔️|| +|Use on-premises resources|✔️|✔️|✔️||✔️|| +|Use cloud-based services||||✔️||| You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. @@ -665,35 +448,10 @@ It is important that you perform any network infrastructure remediation first be Table 7. Network infrastructure products and technologies and deployment resources -- - -- - - - - - - - - - -Desired feature -Windows provisioning packages -Group Policy -Configuration Manager -Intune -MDT -Windows Software Update Services -- -Deploy operating system images -X -- X -- X -- - -Deploy apps during operating system deployment -X -- X -- X -- - -Deploy apps after operating system deployment -X -X -X -- - - - -Deploy software updates during operating system deployment -- - X -- X -- - -Deploy software updates after operating system deployment -X -X -X -X -- X -- -Support devices that are domain-joined -X -X -X -X -X -- - -Support devices that are not domain-joined -X -- - X -X -- - -Use on-premises resources -X -X -X -- X -- - - -Use cloud-based services -- - - X -- - -
- +|Product or technology|Resources| +|--- |--- | +|DHCP|- - -- - - - - -Product or technology -Resources -- -DHCP -- - - -DNS -- - [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
- [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))| +|DNS|
- [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
- [Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@@ -707,37 +465,10 @@ In the [Plan for Active Directory services](#plan-adservices) section, you deter
Table 8. AD DS, Azure AD and deployment resources
-
-
- - +|Product or technology|Resources| +|--- |--- | +|AD DS|- - -- - - - - -Product or technology -Resources -- -AD DS -- - - -Azure AD -- - [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
- [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))| +|Azure AD|
- [Azure Active Directory documentation](/azure/active-directory/)
- [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)
- [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@@ -750,59 +481,13 @@ Table 9 lists the Microsoft management systems and the deployment resources for
Table 9. Management systems and deployment resources
-
-
- - +|Management system|Resources| +|--- |--- | +|Windows provisioning packages|- - -- - - - - -Management system -Resources -- -Windows provisioning packages -- - -Group Policy -- - -Configuration Manager -- - -Intune -- - - -MDT -- - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
- [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)| +|Group Policy|
- [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
- [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"| +|Configuration Manager|
- [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
- [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| +|Intune|
- [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
- [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)
- [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/?l=fCzIjVKy_6404984382)| +|MDT|
- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)
- [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@@ -815,44 +500,11 @@ In this step, you need to configure your management system to deploy the apps to
Table 10. Management systems and app deployment resources
-
-
- - +|Management system|Resources| +|--- |--- | +|Group Policy|- - -- - - - - -Management system -Resources -- -Group Policy -- - -Configuration Manager -- - - -Intune -- - [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))
- [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))
- [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))| +|Configuration Manager|
- [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))
- [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))| +|Intune|
- [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)
- [Manage apps with Microsoft Intune](/mem/intune/)|
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 09c8ad86fe..10787af567 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -83,7 +83,7 @@ This district configuration has the following characteristics:
* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
-* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
+* Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Each device supports a one-student-per-device or multiple-students-per-device scenario.
@@ -128,7 +128,7 @@ Office 365 Education allows:
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
-For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
+For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
### How to configure a district
@@ -225,80 +225,10 @@ Use the cloud-centric scenario and on-premises and cloud scenario as a guide for
To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
-
-
+|Method|Description| +|--- |--- | +|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.- - -- - - - - - -Method -Description -- - -MDT -MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
-
-Select this method when you:-
-
- Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) -
- Don’t have an existing AD DS infrastructure. -
- Need to manage devices regardless of where they are (on or off premises). -
The advantages of this method are that:
--
-
- You can deploy Windows 10 operating systems. -
- You can manage device drivers during initial deployment. -
- You can deploy Windows desktop apps (during initial deployment) -
- It doesn’t require an AD DS infrastructure. -
- It doesn’t have additional infrastructure requirements. -
- MDT doesn’t incur additional cost: it’s a free tool. -
- You can deploy Windows 10 operating systems to institution-owned and personal devices. -
The disadvantages of this method are that it:
- --
-
- Can’t manage applications throughout entire application life cycle (by itself). -
- Can’t manage software updates for Windows 10 and apps (by itself). -
- Doesn’t provide antivirus and malware protection (by itself). -
- Has limited scaling to large numbers of users and devices. -
- - -Microsoft Endpoint Configuration Manager -Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
-
-Select this method when you:-
-
- Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). -
- Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). -
- Typically deploy Windows 10 to on-premises devices. -
The advantages of this method are that:
--
-
- You can deploy Windows 10 operating systems. -
- You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle. -
- You can manage software updates for Windows 10 and apps. -
- You can manage antivirus and malware protection. -
- It scales to large number of users and devices. -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already). -
- Can deploy Windows 10 only to domain-joined (institution-owned devices). -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
Select this method when you: - Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
- Don’t have an existing AD DS infrastructure.
- Need to manage devices regardless of where they are (on or off premises).
The advantages of this method are that:
- You can deploy Windows 10 operating systems
- You can manage device drivers during initial deployment.
- You can deploy Windows desktop apps (during initial deployment)
- It doesn’t require an AD DS infrastructure.
- It doesn’t have additional infrastructure requirements.
- MDT doesn’t incur additional cost: it’s a free tool.
- You can deploy Windows 10 operating systems to institution-owned and personal devices.
The disadvantages of this method are that it:
- Can’t manage applications throughout entire application life cycle (by itself).
- Can’t manage software updates for Windows 10 and apps (by itself).
- Doesn’t provide antivirus and malware protection (by itself).
- Has limited scaling to large numbers of users and devices.| +|Microsoft Endpoint Configuration Manager|
- Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
- You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
Select this method when you: - Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
- Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
- Typically deploy Windows 10 to on-premises devices.
The advantages of this method are that: - You can deploy Windows 10 operating systems.
- You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
- You can manage software updates for Windows 10 and apps.
- You can manage antivirus and malware protection.
- It scales to large number of users and devices.
The disadvantages of this method are that it: - Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
- Can deploy Windows 10 only to domain-joined (institution-owned devices).
- Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 2. Deployment methods*
@@ -317,81 +247,10 @@ If you have only one device to configure, manually configuring that one device i
For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
-
-
+|Method|Description| +|--- |--- | +|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.- - -- - - - - - -Method -Description -- -Group Policy -Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
- -
-Select this method when you:-
-
- Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined). -
- Want more granular control of device and user settings. -
- Have an existing AD DS infrastructure. -
- Typically manage on-premises devices. -
- Can manage a required setting only by using Group Policy. -
The advantages of this method include:
--
-
- No cost beyond the AD DS infrastructure. -
- A larger number of settings (compared to Intune). -
The disadvantages of this method are that it:
--
-
- Can only manage domain-joined (institution-owned devices). -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
- Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect). -
- Has rudimentary app management capabilities. -
- Cannot deploy Windows 10 operating systems. -
- - - -Intune -Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
- -
-Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
-Select this method when you:-
-
- Want to manage institution-owned and personal devices (does not require that the device be domain joined). -
- Don’t need granular control over device and user settings (compared to Group Policy). -
- Don’t have an existing AD DS infrastructure. -
- Need to manage devices regardless of where they are (on or off premises). -
- Want to provide application management for the entire application life cycle. -
- Can manage a required setting only by using Intune. -
The advantages of this method are that:
--
-
- You can manage institution-owned and personal devices. -
- It doesn’t require that devices be domain joined. -
- It doesn’t require any on-premises infrastructure. -
- It can manage devices regardless of their location (on or off premises). -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Intune subscription licenses. -
- Doesn’t offer granular control over device and user settings (compared to Group Policy). -
- Cannot deploy Windows 10 operating systems. -
Select this method when you - Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
- Want more granular control of device and user settings.
- Have an existing AD DS infrastructure.
- Typically manage on-premises devices.
- Can manage a required setting only by using Group Policy.
The advantages of this method include: - No cost beyond the AD DS infrastructure.
- A larger number of settings (compared to Intune).
The disadvantages of this method are that it: - Can only manage domain-joined (institution-owned devices).
- Requires an AD DS infrastructure (if the institution does not have AD DS already).
- Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
- Has rudimentary app management capabilities.
- Cannot deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
Select this method when you: - Want to manage institution-owned and personal devices (does not require that the device be domain joined).
- Don’t need granular control over device and user settings (compared to Group Policy).
- Don’t have an existing AD DS infrastructure.
- Need to manage devices regardless of where they are (on or off premises).
- Want to provide application management for the entire application life cycle.
- Can manage a required setting only by using Intune.
The advantages of this method are that: - You can manage institution-owned and personal devices.
- It doesn’t require that devices be domain joined.
- It doesn’t require any on-premises infrastructure.
- It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are that it: - Carries an additional cost for Intune subscription licenses.
- Doesn’t offer granular control over device and user settings (compared to Group Policy).
- Cannot deploy Windows 10 operating systems.|
*Table 4. Configuration setting management methods*
@@ -410,114 +269,11 @@ For a district, there are many ways to manage apps and software updates. Table 6
Use the information in Table 6 to determine which combination of app and update management products is right for your district.
-
-
+|Selection|Management method| +|--- |--- | +|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:- - -- - - - - - -Selection -Management method -- - -Microsoft Endpoint Configuration Manager -Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
-
Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.
Select this method when you:-
-
- Selected Configuration Manager to deploy Windows 10. -
- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined). -
- Want to manage AD DS domain-joined devices. -
- Have an existing AD DS infrastructure. -
- Typically manage on-premises devices. -
- Want to deploy operating systems. -
- Want to provide application management for the entire application life cycle. -
The advantages of this method are that:
--
-
- You can deploy Windows 10 operating systems. -
- You can manage applications throughout the entire application life cycle. -
- You can manage software updates for Windows 10 and apps. -
- You can manage antivirus and malware protection. -
- It scales to large numbers of users and devices. -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already). -
- Carries an additional cost for Windows Server licenses and the corresponding server hardware. -
- Can only manage domain-joined (institution-owned devices). -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
- Typically manages on-premises devices (unless devices through VPN or DirectAccess). -
- - -Intune -Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
-
-Select this method when you:-
-
- Selected MDT only to deploy Windows 10. -
- Want to manage institution-owned and personal devices that are not domain joined. -
- Want to manage Azure AD domain-joined devices. -
- Need to manage devices regardless of where they are (on or off premises). -
- Want to provide application management for the entire application life cycle. -
The advantages of this method are that:
--
-
- You can manage institution-owned and personal devices. -
- It doesn’t require that devices be domain joined. -
- It doesn’t require on-premises infrastructure. -
- It can manage devices regardless of their location (on or off premises). -
- You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition). -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Intune subscription licenses. -
- Cannot deploy Windows 10 operating systems. -
- - - -Microsoft Endpoint Manager and Intune (hybrid) -Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
-
-Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
-Select this method when you:-
-
- Selected Microsoft Endpoint Manager to deploy Windows 10. -
- Want to manage institution-owned and personal devices (does not require that the device be domain joined). -
- Want to manage domain-joined devices. -
- Want to manage Azure AD domain-joined devices. -
- Have an existing AD DS infrastructure. -
- Want to manage devices regardless of their connectivity. -
- Want to deploy operating systems. -
- Want to provide application management for the entire application life cycle. -
The advantages of this method are that:
--
-
- You can deploy operating systems. -
- You can manage applications throughout the entire application life cycle. -
- You can scale to large numbers of users and devices. -
- You can support institution-owned and personal devices. -
- It doesn’t require that devices be domain joined. -
- It can manage devices regardless of their location (on or off premises). -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already). -
- Carries an additional cost for Windows Server licenses and the corresponding server hardware. -
- Carries an additional cost for Intune subscription licenses. -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
- Selected Configuration Manager to deploy Windows 10.
- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
- Want to manage AD DS domain-joined devices.
- Have an existing AD DS infrastructure.
- Typically manage on-premises devices.
- Want to deploy operating systems.
- Want to provide application management for the entire application life cycle.
The advantages of this method are that: - You can deploy Windows 10 operating systems.
- You can manage applications throughout the entire application life cycle.
- You can manage software updates for Windows 10 and apps.
- You can manage antivirus and malware protection.
- It scales to large numbers of users and devices.
The disadvantages of this method are that it: - Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
- Carries an additional cost for Windows Server licenses and the corresponding server hardware.
- Can only manage domain-joined (institution-owned devices).
- Requires an AD DS infrastructure (if the institution does not have AD DS already).
- Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
Select this method when you: - Selected MDT only to deploy Windows 10.
- Want to manage institution-owned and personal devices that are not domain joined.
- Want to manage Azure AD domain-joined devices.
- Need to manage devices regardless of where they are (on or off premises).
- Want to provide application management for the entire application life cycle.
The advantages of this method are that: - You can manage institution-owned and personal devices.
- It doesn’t require that devices be domain joined.
- It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
- You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
The disadvantages of this method are that it: - Carries an additional cost for Intune subscription licenses.
- Cannot deploy Windows 10 operating systems.|
+|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you: - Selected Microsoft Endpoint Manager to deploy Windows 10.
- Want to manage institution-owned and personal devices (does not require that the device be domain joined).
- Want to manage domain-joined devices.
- Want to manage Azure AD domain-joined devices.
- Have an existing AD DS infrastructure.
- Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
- Want to provide application management for the entire application life cycle.
The advantages of this method are that: - You can deploy operating systems.
- You can manage applications throughout the entire application life cycle.
- You can scale to large numbers of users and devices.
- You can support institution-owned and personal devices.
- It doesn’t require that devices be domain joined.
- It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are that it: - Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
- Carries an additional cost for Windows Server licenses and the corresponding server hardware.
- Carries an additional cost for Intune subscription licenses.
- Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 6. App and update management products*
@@ -683,7 +439,7 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
> [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@@ -695,7 +451,7 @@ You will always want faculty and students to join the Office 365 tenant that you
> [!NOTE]
> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
-By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@@ -714,7 +470,7 @@ To reduce your administrative effort, automatically assign Office 365 Education
> [!NOTE]
> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
-Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@@ -935,7 +691,7 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
-For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Microsoft 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
> [!NOTE]
> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
@@ -949,7 +705,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
> [!NOTE]
> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
You can add and remove users from security groups at any time.
@@ -966,7 +722,7 @@ You can create email distribution groups based on job role (such as teacher, adm
> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
-For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
#### Summary
@@ -1083,63 +839,11 @@ This guide discusses thick image deployment. For information about thin image de
### Select a method to initiate deployment
The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
-
-
+|Method|Description and reason to select this method| +|--- |--- | +|Windows Deployment Services|This method:- - -- - - - - - - -Method -Description and reason to select this method - -- - -Windows Deployment Services -This method:
--
-
- Uses diskless booting to initiate LTI and ZTI deployments. -
- Works only with devices that support PXE boot. -
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. -
- Deploys images more slowly than when you use local media. -
- Requires that you deploy a Windows Deployment Services server. -
Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. -- - -Bootable media -This method:
--
-
- Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD. -
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. -
- Deploys images more slowly than when using local media. -
- Requires no additional infrastructure. -
Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. -- - - -Deployment media -This method:
--
-
- Initiates LTI or ZTI deployment by booting from a local USB hard disk. -
- Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods. -
- Deploys images more quickly than network-based methods do. -
- Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB). -
Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk. - - Uses diskless booting to initiate LTI and ZTI deployments.
- Works only with devices that support PXE boot.
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
- Deploys images more slowly than when you use local media.
- Requires that you deploy a Windows Deployment Services server.
Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.| +|Bootable media|This method: - Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
- Deploys images more slowly than when using local media.
- Requires no additional infrastructure.
Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.| +|Deployment media|This method: - Initiates LTI or ZTI deployment by booting from a local USB hard disk.
- Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
- Deploys images more quickly than network-based methods do.
- Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk. *Table 15. Methods to initiate LTI and ZTI deployments* @@ -1154,91 +858,14 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16. --
+|Task|Description| +|--- |--- | +|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| +|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.- - -- - - - - - - - -Task -Description - -- - -1. Import operating systems -Import the operating systems that you selected in the Select the operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench. -- - -2. Import device drivers -Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat. -
-Import device drivers for each device in your institution. For more information about how to import device drivers, see Import Device Drivers into the Deployment Workbench. -- - -3. Create MDT applications for Microsoft Store apps -Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10. -
-Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
--
-
- For offline-licensed apps, download the .appx files from the Microsoft Store for Business. -
- For apps that are not offline licensed, obtain the .appx files from the app software vendor directly. -
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
-If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
-In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
--
-
- Prepare your environment for sideloading, see Try it out: sideload Microsoft Store apps. -
- Create an MDT application, see Create a New Application in the Deployment Workbench. -
- - -4. Create MDT applications for Windows desktop apps -You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them. -
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool.
-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps. -
-Note You can also deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. - -For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt). - -- - -5. Create task sequences -You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
--
-
- Deploy 64-bit Windows 10 Education to devices. -
- Deploy 32-bit Windows 10 Education to devices. -
- Upgrade existing devices to 64-bit Windows 10 Education. -
- Upgrade existing devices to 32-bit Windows 10 Education. -
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench. - -- - - - -6. Update the deployment share -Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services. -
-For more information about how to update a deployment share, see Update a Deployment Share in the Deployment Workbench. - -
Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| +|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks: - For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
- For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to: - Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
- Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
This is the preferred method for deploying and managing Windows desktop apps.
**Note:** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| +|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will: - Deploy 64-bit Windows 10 Education to devices.
- Deploy 32-bit Windows 10 Education to devices.
- Upgrade existing devices to 64-bit Windows 10 Education.
- Upgrade existing devices to 32-bit Windows 10 Education.
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| +|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| *Table 16. Tasks to configure the MDT deployment share* @@ -1430,116 +1057,20 @@ Microsoft has several recommended settings for educational institutions. Table 1 Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. --
- - -- - - - - - - -Recommendation -Description - -- - -Use of Microsoft accounts -You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts. -
- -**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
-**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. - -- - -Restrict the local administrator accounts on the devices -Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices. -
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
-Intune. Not available. - -- - -Manage the built-in administrator account created during device deployment -When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it. -
-Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
-Intune. Not available. - -- - -Control Microsoft Store access -You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise. -
-Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
-Intune. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy. - -- +|Recommendation|Description| +|--- |--- | +|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.Use of Remote Desktop connections to devices -Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices. -
-Group Policy. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
-Intune. Not available. - -
**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| +|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
**Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
**Intune**. Not available.| +|Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
**Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
**Intune**. Not available.| +|Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
**Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
**Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.| +|Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
**Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
**Intune**. Not available.| +|Use of camera|A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
**Group policy**. Not available.
**Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.| +|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
**Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
**Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.| +|Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
**Group policy**. Not available.
**Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.| +|Use of location services|Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
**Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
**Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.| +|Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.
**Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
**Intune**. Not available.| -- - -Use of camera -A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices. -
-Group Policy. Not available.
-Intune. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy. - -- - -Use of audio recording -Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices. -
-Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
-Intune. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy. - -- - -Use of screen capture -Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices. -
-Group Policy. Not available.
-Intune. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy. - -- - -Use of location services -Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices. -
-Group Policy. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
-Intune. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy. - -- - - -Changing wallpaper -Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices. -
-Group Policy. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
-Intune. Not available. - -
Table 17. Recommended settings for educational institutions @@ -1719,205 +1250,23 @@ After the initial deployment, you need to perform certain tasks to maintain the Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. --
-- - -- - - - - - - -Task and resources -Monthly -New semester or academic year -As required -- - -Verify that Windows Update is active and current with operating system and software updates. -
-For more information about completing this task when you have: --
-
- Intune, see Keep Windows PCs up to date with software updates in Microsoft Intune. -
- Group Policy, see Windows Update for Business. -
- WSUS, see Windows Server Update Services. -
- Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help. -
x -x -x -- - -Verify that Windows Defender is active and current with malware Security intelligence. -
-For more information about completing this task, see Turn Windows Defender on or off and Updating Windows Defender. -x -x -x -- - -Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found. -
-For more information about completing this task, see the “How do I find and remove a virus?” topic in Protect my PC from viruses. -x -x -x -- - -Download and approve updates for Windows 10, apps, device driver, and other software. -
-For more information, see: - -x -x -x -- - -Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business). -
-For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options. -- x -x -- - -Refresh the operating system and apps on devices. -
-For more information about completing this task, see the following resources: - -- x -x -- - -Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum. -
-For more information, see: - -- x -x -- - -Install new or update existing Microsoft Store apps used in the curriculum. -
-Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
-You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see: - -- x -x -- - - -Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Remove unnecessary user accounts, see Active Directory Administrative Center. -
- Remove licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Add user accounts, see Bulk-import user and group accounts into AD DS. -
- Assign licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Remove unnecessary user accounts, see Delete or restore users. -
- Remove licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Add user accounts, see Add users to Office 365 for business and Add users individually or in bulk to Office 365. -
- Assign licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Create or modify security groups, and manage group membership in Office 365. -
-For more information about how to: --
-
- Create or modify security groups, see Create an Office 365 Group in the admin center. -
- Manage group membership, see Manage Group membership in the admin center. -
- x -x -- - -Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365. -
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Create and manage distribution groups and Create, edit, or delete a security group. -- x -x -- - - -Install new student devices. -
-Follow the same steps you followed in the Deploy Windows 10 to devices section. -- - x -
+|Task and resources|Monthly|New semester or academic year|As required| +|--- |--- |--- |--- | +|Verify that Windows Update is active and current with operating system and software updates.
For more information about completing this task when you have: - Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
- Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
- WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️| +|Verify that Windows Defender is active and current with malware Security intelligence.
For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️| +|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️| +|Download and approve updates for Windows 10, apps, device driver, and other software.
For more information, see: - [Manage updates by using Intune](#manage-updates-by-using-intune)
- [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️| +|Refresh the operating system and apps on devices.
For more information about completing this task, see the following resources: - [Prepare for deployment](#prepare-for-deployment)
- [Capture the reference image](#capture-the-reference-image)
- [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
For more information, see: - [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
- [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum.
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration.
For more information, see: - [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
- [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
For more information about how to: - Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
- Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
For more information about how to: - Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
- Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
For more information about how to: - Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
- Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
For more information about how to: - Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
- Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Create or modify security groups, and manage group membership in Office 365.
For more information about how to: - Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
- Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
+|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️| +|Install new student devices.
Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||✔️| *Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them* @@ -1936,4 +1285,4 @@ You have now identified the tasks you need to perform monthly, at the end of an * [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md) * [Reprovision devices at the end of the school year (video)](./index.md) * [Use MDT to deploy Windows 10 in a school (video)](./index.md) -* [Use Microsoft Store for Business in a school environment (video)](./index.md) \ No newline at end of file +* [Use Microsoft Store for Business in a school environment (video)](./index.md) diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index b3eed6f968..82ea8add54 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -164,184 +164,164 @@ For more information, see [Manage settings in the Store for Business](manage-set Store for Business and Education is currently available in these markets. ### Support for free and paid products --
+ +- Afghanistan +- Algeria +- Andorra +- Angola +- Anguilla +- Antigua and Barbuda +- Argentina +- Australia +- Austria +- Bahamas +- Bahrain +- Bangladesh +- Barbados +- Belgium +- Belize +- Bermuda +- Benin +- Bhutan +- Bolivia +- Bonaire +- Botswana +- Brunei Darussalam +- Bulgaria +- Burundi +- Cambodia +- Cameroon +- Canada +- Cayman Islands +- Chile +- Colombia +- Comoros +- Costa Rica +- Côte D'ivoire +- Croatia +- Curçao +- Cyprus +- Czech Republic +- Denmark +- Dominican Republic +- Ecuador +- Egypt +- El Salvador +- Estonia +- Ethiopia +- Faroe Islands +- Fiji +- Finland +- France +- French Guiana +- French Polynesia +- Germany +- Ghana +- Greece +- Greenland +- Guadeloupe +- Guatemala +- Honduras +- Hong Kong SAR +- Hungary +- Iceland +- Indonesia +- Iraq +- Ireland +- Israel +- Italy +- Jamaica +- Japan +- Jersey +- Jordan +- Kenya +- Kuwait +- Laos +- Latvia +- Lebanon +- Libya +- Liechtenstein +- Lithuania +- Luxembourg +- Macedonia +- Madagascar +- Malawi +- Malaysia +- Maldives +- Mali +- Malta +- Marshall Islands +- Martinique +- Mauritius +- Mayotte +- Mexico +- Mongolia +- Montenegro +- Morocco +- Mozambique +- Myanamar +- Namibia +- Nepal +- Netherlands +- New Caledonia +- New Zealand +- Nicaragua +- Nigeria +- Norway +- Oman +- Pakistan +- Palestinian Authority +- Panama +- Papua New Guinea +- Paraguay +- Peru +- Philippines +- Poland +- Portugal +- Qatar +- Republic of Cabo Verde +- Reunion +- Romania +- Rwanda +- Saint Kitts and Nevis +- Saint Lucia +- Saint Martin +- Saint Vincent and the Grenadines +- San marino +- Saudi Arabia +- Senegal +- Serbia +- Seychelles +- Singapore +- Sint Maarten +- Slovakia +- Slovenia +- South Africa +- Spain +- Sri Lanka +- Suriname +- Sweden +- Switzerland +- Tanzania +- Thailand +- Timor-Leste +- Togo +- Tonga +- Trinidad and Tobago +- Tunisia +- Turkey +- Turks and Caicos Islands +- Uganda +- United Arab Emirates +- United Kingdom +- United States +- Uruguay +- Vatican City +- Viet Nam +- Virgin Islands, U.S. +- Zambia +- Zimbabwe + ### Support for free apps Customers in these markets can use Microsoft Store for Business and Education to acquire free apps: diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 3983d8787c..0bfd675b91 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -24,56 +24,15 @@ Use the following procedure to configure the App-V for reporting. 2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings: -- -Supports all free and paid products -- -- --
-
- Afghanistan -
- Algeria -
- Andorra -
- Angola -
- Anguilla -
- Antigua and Barbuda -
- Argentina -
- Australia -
- Austria -
- Bahamas -
- Bahrain -
- Bangladesh -
- Barbados -
- Belgium -
- Belize -
- Bermuda -
- Benin -
- Bhutan -
- Bolivia -
- Bonaire -
- Botswana -
- Brunei Darussalam -
- Bulgaria -
- Burundi -
- Cambodia -
- Cameroon -
- Canada -
- Cayman Islands -
- Chile -
- Colombia -
- Comoros -
- Costa Rica -
- Côte D'ivoire -
- Croatia -
- Curçao -
- Cyprus -
- Czech Republic -
- Denmark -
- Dominican Republic -
- Ecuador -
- --
-
- Egypt -
- El Salvador -
- Estonia -
- Ethiopia -
- Faroe Islands -
- Fiji -
- Finland -
- France -
- French Guiana -
- French Polynesia -
- Germany -
- Ghana -
- Greece -
- Greenland -
- Guadeloupe -
- Guatemala -
- Honduras -
- Hong Kong SAR -
- Hungary -
- Iceland -
- Indonesia -
- Iraq -
- Ireland -
- Israel -
- Italy -
- Jamaica -
- Japan -
- Jersey -
- Jordan -
- Kenya -
- Kuwait -
- Laos -
- Latvia -
- Lebanon -
- Libya -
- Liechtenstein -
- Lithuania -
- Luxembourg -
- Macedonia -
- Madagascar -
- --
-
- Malawi -
- Malaysia -
- Maldives -
- Mali -
- Malta -
- Marshall Islands -
- Martinique -
- Mauritius -
- Mayotte -
- Mexico -
- Mongolia -
- Montenegro -
- Morocco -
- Mozambique -
- Myanamar -
- Namibia -
- Nepal -
- Netherlands -
- New Caledonia -
- New Zealand -
- Nicaragua -
- Nigeria -
- Norway -
- Oman -
- Pakistan -
- Palestinian Authority -
- Panama -
- Papua New Guinea -
- Paraguay -
- Peru -
- Philippines -
- Poland -
- Portugal -
- Qatar -
- Republic of Cabo Verde -
- Reunion -
- Romania -
- Rwanda -
- Saint Kitts and Nevis -
- --
-
- Saint Lucia -
- Saint Martin -
- Saint Vincent and the Grenadines -
- San marino -
- Saudi Arabia -
- Senegal -
- Serbia -
- Seychelles -
- Singapore -
- Sint Maarten -
- Slovakia -
- Slovenia -
- South Africa -
- Spain -
- Sri Lanka -
- Suriname -
- Sweden -
- Switzerland -
- Tanzania -
- Thailand -
- Timor-Leste -
- Togo -
- Tonga -
- Trinidad and Tobago -
- Tunisia -
- Turkey -
- Turks and Caicos Islands -
- Uganda -
- United Arab Emirates -
- United Kingdom -
- United States -
- Uruguay -
- Vatican City -
- Viet Nam -
- Virgin Islands, U.S. -
- Zambia -
- Zimbabwe
-
- - +|Setting|Description| +|--- |--- | +|ReportingEnabled|Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.| +|ReportingServerURL|Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.- - -- - - - - -Setting -Description -- -ReportingEnabled
Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
- -ReportingServerURL
Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
-- Note-This is the port number that was assigned during the Reporting Server setup
-- -- -Reporting Start Time
This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
- -ReportingRandomDelay
Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
- -ReportingInterval
Specifies the retry interval that the client will use to resend data to the reporting server.
- -ReportingDataCacheLimit
Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
- - -ReportingDataBlockSize
Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
**Note:**
This is the port number that was assigned during the Reporting Server setup| +|Reporting Start Time|This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.| +|ReportingRandomDelay|Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.| +|ReportingInterval|Specifies the retry interval that the client will use to resend data to the reporting server.| +|ReportingDataCacheLimit|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.| +|ReportingDataBlockSize|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.| 3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server. diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index 88a684ce46..ab5b11444d 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -69,28 +69,10 @@ This topic explains the following procedures: 2. Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID): --
+ |Cmdlet|Examples| + |--- |--- | + |Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345| + |Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345| ## To allow only administrators to enable connection groups @@ -102,33 +84,9 @@ This topic explains the following procedures: 2. Run the following cmdlet and parameter: -- - -- - - - - -Cmdlet -Examples -- -Enable-AppVClientConnectionGroup
Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
- - -Disable-AppVClientConnectionGroup
Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
-
- - + |Cmdlet|Parameter and values|Example| + |--- |--- |--- | + |Set-AppvClientConfiguration|-RequirePublishAsAdmin- - -- - - - - - -Cmdlet -Parameter and values -Example -- - -Set-AppvClientConfiguration
-RequirePublishAsAdmin
--
-
0 - False
- 1 - True
-
Set-AppvClientConfiguration -RequirePublishAsAdmin 1
- 0 - False
- 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
1|
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index bfbd7fe594..0f8cf76315 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -24,50 +24,16 @@ In some previous versions of App-V, connection groups were referred to as Dynami **In this section:** --
- - - - - +|Links|Description| +|--- |--- | +|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.| +|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.| +|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.| +|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.| +|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.| +|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.| +|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.| +[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.|- - -- - - -- Describes the connection group virtual environment.
- -- Describes the connection group file.
- -- Explains how to create a new connection group.
- -How to Create a Connection Group with User-Published and Globally Published Packages
Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.
- -- Explains how to delete a connection group.
- -- Explains how to publish a connection group.
- -- Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
- -How to Allow Only Administrators to Enable Connection Groups
Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index 894d080a23..7d268f0f29 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -26,35 +26,9 @@ You can now use the package converter to convert App-V 4.6 packages that contain You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files’ information is converted and placed within the new package. --
- - +|New in App-V for Windows client|Prior to App-V for Windows 10| +|--- |--- | +|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:- - -- - - - - -New in App-V for Windows client -Prior to App-V for Windows 10 -- - -New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
--
-
environment variables
-shortcuts
-file type associations
-registry information
-scripts
-
You can now choose to add information from a subset of the .osd files in the source directory to the package using the
-OSDsToIncludeInPackageparameter.Registry information and scripts included in .osd files associated with a package were not included in package converter output.
-The package converter would populate the new package with information from all of the .osd files in the source directory.
- environment variables
- shortcuts
- file type associations
- registry information
- scripts
You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.
The package converter would populate the new package with information from all of the .osd files in the source directory.| ### Example conversion statement @@ -102,65 +76,10 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\ **In the above example:** --
- - +|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description| +|--- |--- |--- |--- | +|- - -- - - - - - - -These Source directory files… -…are converted to these Destination directory files… -…and will contain these items -Description -- --
-
X.osd
-Y.osd
-Z.osd
-
-
-
X_Config.xml
-Y_Config.xml
-Z_Config.xml
-
-
-
Environment variables
-Shortcuts
-File type associations
-Registry information
-Scripts
-
Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
-In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.
- - --
-
X.osd
-Y.osd
-
-
-
ContosoApp.appv
-ContosoApp_DeploymentConfig.xml
-ContosoApp_UserConfig.xml
-
-
-
Environment variables
-Shortcuts
-File type associations
-
The information from the .osd files specified in the
--OSDsToIncludeInPackageparameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the
-OSDsToIncludeInPackageparameter. No information from Z.osd was included in the package, because it was not included as one of these arguments. - X.osd
- Y.osd
- Z.osd|
- X_Config.xml
- Y_Config.xml
- Z_Config.xml|
- Environment variables:
- Shortcuts
- File type associations
- Registry information
- Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.| +| - X.osd
- Y.osd|
- ContosoApp.appv
- ContosoApp_DeploymentConfig.xml
- ContosoApp_UserConfig.xml|
- Environment variables
- Shortcuts
- File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.| ## Converting packages created using a prior version of App-V @@ -175,34 +94,11 @@ After you convert an existing package you should test the package prior to deplo **What to know before you convert existing packages** --
- - +|Issue|Workaround| +|--- |--- | +|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).| +|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.| +|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.| When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path. @@ -218,39 +114,12 @@ If a converted package does not open after you convert it, it is also recommende There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server. -- - -- - - - - -Issue -Workaround -- -Virtual packages using DSC are not linked after conversion.
Link the packages using connection groups. See Managing Connection Groups.
- -Environment variable conflicts are detected during conversion.
Resolve any conflicts in the associated .osd file.
- - -Hard-coded paths are detected during conversion.
Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.
-
- - - +|Task|More Information| +|--- |--- | +|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)| +|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)| +|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)| +|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|- - -- - - - - -Task -More Information -- -Review prerequisites.
- - -Enable the App-V client.
- - -Install App-V Server.
- - - -Migrate existing packages.
See Converting packages created using a prior version of App-V earlier in this topic.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index a510b2460c..f58ed76669 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,6 +1,6 @@ --- title: Get seats -description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business. +description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.reviewer: manager: dansimp @@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the ## Request --
+**GET:** + +```http +https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults} +``` - ### URI parameters The following parameters may be specified in the request URI. -- - -- - - - - -Method -Request URI -- - -GET
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}
-
+|Parameter|Type|Description| +|--- |--- |--- | +|productId|string|Required. Product identifier for an application that is used by the Store for Business.| +|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| +|continuationToken|string|Optional.| +|maxResults|int32|Optional. Default = 25, Maximum = 100| - ## Response ### Response body The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). -- - -- - - - - - -Parameter -Type -Description -- -productId
string
Required. Product identifier for an application that is used by the Store for Business.
- -skuId
string
Required. Product identifier that specifies a specific SKU of an application.
- -continuationToken
string
Optional.
- - -maxResults
int32
Optional. Default = 25, Maximum = 100
-
- - - - - - +|Error code|Description|Retry|Data field| +|--- |--- |--- |--- | +|400|Invalid parameters|No|Parameter name- - -- - - - - - - -Error code -Description -Retry -Data field -- -400
Invalid parameters
No
Parameter name
-Reason: Missing parameter or invalid parameter
-Details: String
- -404
Not found
- - - - -409
Conflict
- Reason: Not online
Reason: Missing parameter or invalid parameter
Details: String| +|404|Not found||| +|409|Conflict||Reason: Not online| diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 32bdbb1eca..83e90a87ec 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -30,48 +30,42 @@ Windows 11 introduces an update to the device health attestation feature. This h The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. ### Terms -**TPM (Trusted Platform Module)** -TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
-**DHA (Device HealthAttestation) feature** -The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. -**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)** -The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. -**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)** -The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.
-The following list of operations is performed by MAA-CSP:
--
-
- Receives attestation trigger requests from a HealthAttestation enabled MDM provider. -
- The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device. -
- Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider. -
- Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device. -
-Attestation flow can be broadly in three main steps:
--
-
- An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features. -
- The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved. -
- The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device. -
The root node for the device HealthAttestation configuration service provider.
+ +The root node for the device HealthAttestation configuration service provider. **TriggerAttestation** (Required) -Node type: EXECUTE -This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. -
-Templated SyncML Call:
+Node type: EXECUTE + +This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. + +Templated SyncML Call: ```xml@@ -127,16 +122,15 @@ This node will trigger attestation flow by launching an attestation process. If ``` -Data fields:
--
-
- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. -
- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. -
- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. -
- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. -
- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. -
Sample Data:
+- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. +- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. +- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. +- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. +- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. + +Sample Data: ```json @@ -151,12 +145,13 @@ This node will trigger attestation flow by launching an attestation process. If ``` **AttestStatus** -Node type: GET + +Node type: GET + This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step. The status is always cleared prior to making the attest service call. -
-Templated SyncML Call:
+Templated SyncML Call: ```xml@@ -175,20 +170,21 @@ The status is always cleared prior to making the attest service call. ``` -Sample Data:
+Sample Data: -``` +```console If Successful: 0 If Failed: A corresponding HRESULT error code Example: 0x80072efd, WININET_E_CANNOT_CONNECT ``` **GetAttestReport** -Node type: GET -This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. -
-Templated SyncML Call:
+Node type: GET + +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. + +Templated SyncML Call: ```xml@@ -207,9 +203,9 @@ This node will retrieve the attestation report per the call made by the TriggerA ``` -Sample data:
+Sample data: -``` +```console If Success: JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc If failed: @@ -218,10 +214,12 @@ OR Sync ML 404 error if not cached report available. ``` **GetServiceCorrelationIDs** -Node type: GET + +Node type: GET + This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string. -
-Templated SyncML Call:
+ +Templated SyncML Call: ```xml@@ -240,226 +238,220 @@ This node will retrieve the service-generated correlation IDs for the given MDM ``` -Sample data:
+Sample data: -> If success: -> GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM -> If Trigger Attestation call failed and no previous data is present. The field remains empty. -> Otherwise, the last service correlation id will be returned. In a successful attestation there are two -> calls between client and MAA and for each call the GUID is separated by semicolon. +```console +If success: +GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM +If Trigger Attestation call failed and no previous data is present. The field remains empty. +Otherwise, the last service correlation id will be returned. In a successful attestation there are two +calls between client and MAA and for each call the GUID is separated by semicolon. +``` -> **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. +> [!NOTE] +> > MAA CSP nodes are available on arm64 but is not currently supported. ### MAA CSP Integration Steps --
-
- Set up a MAA provider instance:
-MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
- - Update the provider with an appropriate policy:
-The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs -
A Sample attestation policy: -``` -version=1.2; +1. Set up a MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal]. -configurationrules{ -}; +2. Update the provider with an appropriate policy: The MAA instance should be updated with an appropriate policy. For more information, see [How to author an Azure Attestation policy](/azure/attestation/claim-rule-grammar). -authorizationrules { + A Sample attestation policy: + + ```console + version=1.2; + + configurationrules{ + }; + + authorizationrules { => permit(); -}; + }; -issuancerules{ + issuancerules{ -// SecureBoot enabled -c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); -c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); -![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); + // SecureBoot enabled + c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); + c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); + ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); -// Retrieve bool properties -c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); -c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); + // Retrieve bool properties + c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); + c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); -// Bitlocker Boot Status, The first non zero measurement or zero. -c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); -[type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); -![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); + // Bitlocker Boot Status, The first non zero measurement or zero. + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); + [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); + ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); -// Elam Driver (windows defender) Loaded -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); -[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); -![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); + // Elam Driver (windows defender) Loaded + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); + [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); + ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); -// Boot debugging -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); -c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); + // Boot debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); + c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); -// Kernel Debugging -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); -c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); + // Kernel Debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); + c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); -// DEP Policy -c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); -![type=="depPolicy"] => issue(type="depPolicy", value=0); + // DEP Policy + c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); + ![type=="depPolicy"] => issue(type="depPolicy", value=0); -// Test Signing -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); -c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); + // Test Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); + c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); -// Flight Signing -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); -c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); -![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); + // Flight Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); + c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); + ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); -// VSM enabled -c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); -c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); -c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); + // VSM enabled + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); + c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); + c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); -// HVCI -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); -c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); -![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); + // HVCI + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); + c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); + ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); -// IOMMU -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); -c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); + // IOMMU + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); + c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); -// Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements -// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 -c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); -c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); -[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); + // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); -// Find the first EVENT_APPLICATION_SVN. -c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); -c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); -c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + // Find the first EVENT_APPLICATION_SVN. + c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); + c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); + c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); -// The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN -c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN + c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); -// OS Rev List Info -c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); + // OS Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); -// Safe mode -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); -c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); -![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); + // Safe mode + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); + c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); + ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); -// Win PE -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); -c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); -![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); + // Win PE + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); + c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); + ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); -// CI Policy -c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); + // CI Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); -// Secure Boot Custom Policy -c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); + // Secure Boot Custom Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); -// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 -c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); -c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); -[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present -//Finding the Boot App SVN -// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); -c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); -c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); + //Finding the Boot App SVN + // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); + c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); + c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); -// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. -c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); -c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); + // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. + c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); + c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); -// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. -c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); -c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. + c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); -// Finding the Boot Rev List Info -c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); + // Finding the Boot Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); -}; -``` + }; + ``` -
- - Call TriggerAttestation with your rpid, AAD token and the attestURI:
-Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs
- - Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
-GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy. -
+3. Call TriggerAttestation with your rpid, AAD token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm). -```json - { - "typ": "JWT", - "alg": "RS256", - "x5c": [ - "MIIE.....=", - "MIIG.....=", - "MIIF.....=" - ], - "kid": "8FUer20z6wzf1rod044wOAFdjsg" - }.{ - "nbf": 1633664812, - "exp": 1634010712, - "iat": 1633665112, - "iss": "https://contosopolicy.eus.attest.azure.net", - "jti": "2b63663acbcafefa004d20969991c0b1f063c9be", - "ver": "1.0", - "x-ms-ver": "1.0", - "rp_data": "AQIDBA", - "nonce": "AQIDBA", - "cnf": { - "jwk": { - "kty": "RSA", - "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ", - "e": "AQAB" - } - }, - "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0", - "WindowsDefenderElamDriverLoaded": true, - "bitlockerEnabled": true, - "bitlockerEnabledValue": 4, - "bootAppSvn": 1, - "bootDebuggingDisabled": true, - "bootMgrSvn": 1, - "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw", - "codeIntegrityEnabled": true, - "codeIntegrityPolicy": [ - "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", - "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", - "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", - "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", - "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM" - ], - "depPolicy": 0, - "flightSigningNotEnabled": false, - "hvciEnabled": true, - "iommuEnabled": true, - "notSafeMode": true, - "notWinPE": true, - "osKernelDebuggingDisabled": true, - "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA", - "secureBootEnabled": true, - "testSigningDisabled": true, - "vbsEnabled": true - }.[Signature] -``` -
-
TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. -**DHA (Device HealthAttestation) feature** -The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. -**DHA-Enabled device (Device HealthAttestation enabled device)** -A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
+- **DHA-Enabled device (Device HealthAttestation enabled device)**: A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0. -**DHA-Session (Device HealthAttestation session)** -The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. -The following list of transactions is performed in one DHA-Session:
--
-
- DHA-CSP and DHA-Service communication:
-
- DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service -
- DHA-Service replies with an encrypted data blob (DHA-EncBlob) -
+ The following list of transactions is performed in one DHA-Session:
- - DHA-CSP and MDM-Server communication:
-
- MDM-Server sends a device health verification request to DHA-CSP -
- DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob -
+ - DHA-CSP and DHA-Service communication:
+ - DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
+ - DHA-Service replies with an encrypted data blob (DHA-EncBlob)
- - MDM-Server and DHA-Service communication:
-
- MDM-Server posts data it receives from devices to DHA-Service -
- DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report) -
-
-DHA session data (Device HealthAttestation session data) -The following list of data is produced or consumed in one DHA-Transaction:
--
-
- DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. -
- DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. -
- DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. -
- DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
-
-
-
- DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service -
- DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP -
- - DHA-Report: the report that is issued by DHA-Service to MDM-Server -
- Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks -
Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-The following list of operations is performed by DHA-Enabled-MDM
--
-
- Enables the DHA feature on a DHA-Enabled device -
- Issues device health attestation requests to enrolled/managed devices -
- Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification -
- Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action -
The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
-The following list of operations is performed by DHA-CSP:
--
-
- Collects device boot data (DHA-BootData) from a managed device -
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) -
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) -
Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+ - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. + - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. + - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. + - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: -DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-The following list of operations is performed by DHA-Service:
+ - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service + - DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP -- Receives device boot data (DHA-BootData) from a DHA-Enabled device
-- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
-- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
-- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
+ - DHA-Report: the report that is issued by DHA-Service to MDM-Server
+ - Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
-
+- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
- - Available in Windows for free -
- Running on a high-availability and geo-balanced cloud infrastructure -
- Supported by most DHA-Enabled device management solutions as the default device attestation service provider -
- Accessible to all enterprise-managed devices via following:
-
-
-
- FQDN = has.spserv.microsoft.com) port -
- Port = 443 -
- Protocol = TCP -
- - Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) -
- Hosted on an enterprise owned and managed server device/hardware -
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios -
Accessible to all enterprise-managed devices via following:
--
-
- FQDN = (enterprise assigned) -
- Port = (enterprise assigned) -
- Protocol = TCP -
-- Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service) -
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios -
Accessible to all enterprise-managed devices via following:
--
-
- FQDN = (enterprise assigned) -
- Port = (enterprise assigned) -
- Protocol = TCP -
-- Available in Windows for free
- Running on a high-availability and geo-balanced cloud infrastructure
- Supported by most DHA-Enabled device management solutions as the default device attestation service provider
- Accessible to all enterprise-managed devices via following:
- FQDN = has.spserv.microsoft.com port
- Port = 443
- Protocol = TCP|No cost
|
+|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises: - Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
- Hosted on an enterprise owned and managed server device/hardware
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
- Accessible to all enterprise-managed devices via following:
- FQDN = (enterprise assigned)
- Port = (enterprise assigned)
- Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
|
+|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure. - Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
- Accessible to all enterprise-managed devices via following:
- FQDN = (enterprise assigned)
- Port = (enterprise assigned)
- Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
|
### CSP diagram and node descriptions
-
-The following shows the Device HealthAttestation configuration service provider in tree format.
-```
+The following shows the Device HealthAttestation configuration service provider in tree format.
+
+```console
./Vendor/MSFT
HealthAttestation
----VerifyHealth
@@ -637,20 +557,24 @@ HealthAttestation
----PreferredMaxProtocolVersion
----MaxSupportedProtocolVersion
```
+
**./Vendor/MSFT/HealthAttestation**
- - 1 means TPM specification version 1.2 -
- 2 means TPM specification version 2.0 -
- SxS (Tried to install when 2016 MSI is installed) -
- Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.) -
- Installation cancelled by user -
- Installation cancelled by another installation -
- Out of disk space during installation -
- Unknown language ID -
- Unknown SKUs -
- Content does't exist on CDN
-
- such as trying to install an unsupported LAP, like zh-sg -
- CDN issue that content is not available
- - Signature check issue, such as failed the signature check for Office content -
- User cancelled -
- SxS (Tried to install when 2016 MSI is installed)
- Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
+|17000|ERROR_PROCESSPOOL_INITIALIZATION
Failed to start C2RClient|Failure| +|17001|ERROR_QUEUE_SCENARIO
Failed to queue installation scenario in C2RClient|Failure| +|17002|ERROR_COMPLETING_SCENARIO
Failed to complete the process. Possible reasons: - Installation canceled by user
- Installation canceled by another installation
- Out of disk space during installation
- Unknown language ID|Failure|
+|17003|ERROR_ANOTHER_RUNNING_SCENARIO
Another scenario is running|Failure| +|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
Possible reasons: - Unknown SKUs
- Content does't exist on CDN
- Such as trying to install an unsupported LAP, like zh-sg
- CDN issue that content is not available
- Signature check issue, such as failed the signature check for Office content
- User canceled|Failure|
+|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
+|17006|ERROR_SCENARIO_CANCELLED
Blocked update by running apps|Failure| +|17007|ERROR_REMOVE_INSTALLATION_NEEDED
The client is requesting client clean-up in a "Remove Installation" scenario|Failure| +|17100|ERROR_HANDLING_COMMAND_LINE
C2RClient command-line error|Failure| +|0x80004005|E_FAIL
ODT cannot be used to install Volume license|Failure| +|0x8000ffff|E_UNEXPECTED
Tried to uninstall when there is no C2R Office on the machine.|Failure| diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 5e8ad6957f..893ac1e192 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -17,131 +17,21 @@ ms.date: 06/26/2017 The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). - -## In this topic - -- [OMA DM standards](#oma-dm-standards) - -- [OMA DM protocol common elements](#protocol-common-elements) - -- [Device management session](#device-management-session) - -- [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration) - -- [SyncML response codes](#syncml-response-codes) - - ## OMA DM standards The following table shows the OMA DM standards that Windows uses. --
+|General area|OMA DM standard that is supported| +|--- |--- | +|Data transport and session|- - -- - - - - -General area -OMA DM standard that is supported -- -Data transport and session
-
-
Client-initiated remote HTTPS DM session over SSL.
-Remote HTTPS DM session over SSL.
-Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
-Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.
-
- -Bootstrap XML
-
-
OMA Client Provisioning XML.
-
- -DM protocol commands
The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
--
-
Add (Implicit Add supported)
-Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
-Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
-Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
-Exec: Invokes an executable on the client device
-Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
-Replace: Overwrites data on the client device
-Result: Returns the data results of a Get command to the DM server
-Sequence: Specifies the order in which a group of commands must be processed
-Status: Indicates the completion status (success or failure) of an operation
-
If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
--
-
SyncBody
-Atomic
-Sequence
-
If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
-If Atomic elements are nested, the following status codes are returned:
--
-
The nested Atomic command returns 500.
-The parent Atomic command returns 507.
-
For more information about the Atomic command, see OMA DM protocol common elements.
-Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
-LocURI cannot start with "/".
-Meta XML tag in SyncHdr is ignored by the device.
- -OMA DM standard objects
-
-
DevInfo
-DevDetail
-OMA DM DMS account objects (OMA DM version 1.2)
-
- -Security
-
-
Authenticate DM server initiation notification SMS message (not used by enterprise management)
-Application layer Basic and MD5 client authentication
-Authenticate server with MD5 credential at application level
-Data integrity and authentication with HMAC at application level
-SSL level certificate based client/server authentication, encryption, and data integrity check
-
- -Nodes
In the OMA DM tree, the following rules apply for the node name:
--
-
"." can be part of the node name.
-The node name cannot be empty.
-The node name cannot be only the asterisk (*) character.
-
- -Provisioning Files
Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
-If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
--Note-To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
-- -- -WBXML support
Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
- - -Handling of large objects
In Windows 10, version 1511, client support for uploading large objects to the server was added.
- Client-initiated remote HTTPS DM session over SSL.
- Remote HTTPS DM session over SSL.
- Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
- Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
+|Bootstrap XML|OMA Client Provisioning XML.|
+|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
- Add (Implicit Add supported)
- Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
- Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
- Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
- Exec: Invokes an executable on the client device
- Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
- Replace: Overwrites data on the client device
- Result: Returns the data results of a Get command to the DM server
- Sequence: Specifies the order in which a group of commands must be processed
- Status: Indicates the completion status (success or failure) of an operation
If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element: - SyncBody
- Atomic
- Sequence
If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
If Atomic elements are nested, the following status codes are returned: - The nested Atomic command returns 500.
- The parent Atomic command returns 507.
For more information about the Atomic command, see OMA DM protocol common elements.
Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
LocURI cannot start with `/`.
Meta XML tag in SyncHdr is ignored by the device.| +|OMA DM standard objects|DevInfo - DevDetail
- OMA DM DMS account objects (OMA DM version 1.2)| +|Security|
- Authenticate DM server initiation notification SMS message (not used by enterprise management)
- Application layer Basic and MD5 client authentication
- Authenticate server with MD5 credential at application level
- Data integrity and authentication with HMAC at application level
- SSL level certificate-based client/server authentication, encryption, and data integrity check|
+|Nodes|In the OMA DM tree, the following rules apply for the node name:
- "." can be part of the node name.
- The node name cannot be empty.
- The node name cannot be only the asterisk (*) character.|
+|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.**Note**| +|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| +|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| @@ -149,99 +39,26 @@ The following table shows the OMA DM standards that Windows uses. Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). -
To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.-
- +|Element|Description| +|--- |--- | +|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.| +|Cmd|Specifies the name of an OMA DM command referenced in a Status element.| +|CmdID|Specifies the unique identifier for an OMA DM command.| +|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.| +|Cred|Specifies the authentication credential for the originator of the message.| +|Final|Indicates that the current message is the last message in the package.| +|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.| +|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.| +|MsgID|Specifies a unique identifier for an OMA DM session message.| +|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| +|RespURI|Specifies the URI that the recipient must use when sending a response to this message.| +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.- - -- - - - - -Element -Description -- -Chal
Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
- -Cmd
Specifies the name of an OMA DM command referenced in a Status element.
- -CmdID
Specifies the unique identifier for an OMA DM command.
- -CmdRef
Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
- -Cred
Specifies the authentication credential for the originator of the message.
- -Final
Indicates that the current message is the last message in the package.
- -LocName
Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
- -LocURI
Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
- -MsgID
Specifies a unique identifier for an OMA DM session message.
- -MsgRef
Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
- -RespURI
Specifies the URI that the recipient must use when sending a response to this message.
- -SessionID
Specifies the identifier of the OMA DM session associated with the containing message.
--Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes. --- -- -Source
Specifies the message source address.
- -SourceRef
Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
- -Target
Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
- -TargetRef
Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
- -VerDTD
Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
- - -VerProto
Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
**Note**| +|Source|Specifies the message source address.| +|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| +|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| +|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.| +|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.| +|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.| ## Device management session @@ -255,56 +72,25 @@ A DM session can be divided into two phases: 1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. 2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. -The following table shows the sequence of events during a typical DM session. +The following information shows the sequence of events during a typical DM session. -
If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.-
+1. DM client is invoked to call back to the management server- - -- - - - - - -Step -Action -Description -- -1
DM client is invoked to call back to the management server
-Enterprise scenario – The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client.
-The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
-Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
- -2
The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
- -3
The DM server responds, over an IP connection (HTTPS).
The server sends initial device management commands, if any.
- -4
The device responds to server management commands.
This message includes the results of performing the specified device management operations.
- - -5
The DM server terminates the session or sends another command.
The DM session ends, or Step 4 is repeated.
Enterprise scenario – The device task schedule invokes the DM client. + The MO server sends a server trigger message to invoke the DM client. + The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. -The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). +2. The device sends a message, over an IP connection, to initiate the session. + + This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. + +3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. + +4. The device responds to server management commands. This message includes the results of performing the specified device management operations. + +5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. + +The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. @@ -319,24 +105,24 @@ For CSPs and policies that support per user configuration, the MDM server can se The data part of this alert could be one of following strings: -- user – the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration -- others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device. -- none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login). +- User – the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration +- Others – another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device. +- None – no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login). Below is an alert example: -``` +```xml- +1 - 1224 -- - -
-com.microsoft/MDM/LoginStatus -chr - - user -1 + 1224 +- + +
+ ``` The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration. @@ -351,37 +137,27 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. -| Status code | Description | -|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 200 | The SyncML command completed successfully. | -| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | +| Status code | Description | +|---|----| +| 200 | The SyncML command completed successfully. | +| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | | 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. | -| 214 | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session. | -| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | -| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | -| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | -| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | -| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | -| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | -| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | -| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | -| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | -| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | -| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | +| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | +| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | +| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | +| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | +| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | +| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | +| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | +| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | +| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | +| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | +| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | +| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | | 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. | -| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | -| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | - - +| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | +| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index c3d8c37963..b1b74f16be 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -38,33 +38,13 @@ manager: dansimp **AboveLock/AllowCortanaAboveLock** -com.microsoft/MDM/LoginStatus +chr + + user +-
+|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -105,28 +85,13 @@ The following list shows the supported values: **AboveLock/AllowToasts** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes, starting in Windows 10, version 1607|Yes| +|Enterprise|Yes, starting in Windows 10, version 1607|Yes| +|Education|Yes, starting in Windows 10, version 1607|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No No -- -Pro -Yes, starting in Windows 10, version 1607 Yes -- -Enterprise -Yes, starting in Windows 10, version 1607 Yes -- Education -Yes, starting in Windows 10, version 1607 Yes -
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index ed466fe64a..795f89e92c 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -40,43 +40,15 @@ manager: dansimp **Accounts/AllowAddingNonMicrosoftAccountsManually** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -- -Mobile -Yes -Yes -- -Mobile Enterprise -Yes -Yes -
@@ -114,48 +86,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountConnection** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Business -Yes -Yes -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -- -Mobile -Yes -Yes -- -Mobile Enterprise -Yes -Yes -
@@ -190,48 +130,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountSignInAssistant** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Business -Yes -Yes -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -- -Mobile -Yes -Yes -- -Mobile Enterprise -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 95c9e7d80b..60248d3ecc 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -40,31 +40,13 @@ manager: dansimp **ActiveXControls/ApprovedInstallationSites** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index c574952e31..0b63ffc56d 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -40,31 +40,14 @@ manager: dansimp **ADMX_ActiveXInstallService/AxISURLZonePolicies** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +- Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index dfb1da857f..de3506d5e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -70,20 +70,10 @@ manager: dansimp **ADMX_AddRemovePrograms/DefaultCategory** --
+|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -
@@ -135,34 +125,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromCDorFloppy** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business||| +|Enterprise|Yes|Yes| +|Education|||- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -- -Enterprise -Yes -Yes -- -Education -
@@ -212,38 +182,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromInternet** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -294,38 +240,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromNetwork** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -377,38 +299,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddPage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -456,38 +354,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddRemovePrograms** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -535,38 +409,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoChooseProgramsPage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -615,37 +465,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoRemovePage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -693,38 +520,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoServices** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -775,38 +578,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoSupportInfo** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -856,38 +635,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoWindowsSetupPage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 65fb6facfd..be84a95bca 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 11/11/2021 ms.reviewer: manager: dansimp --- @@ -1080,9 +1080,10 @@ GP Info: -This security setting determines which service accounts are prevented from registering a process as a service. +This security setting determines which users are prevented from logging on to the computer. This policy setting supersedes the **Allow log on locally** policy setting if an account is subject to both policies. + > [!NOTE] -> This security setting does not apply to the System, Local Service, or Network Service accounts. +> If you apply this security policy to the **Everyone** group, no one will be able to log on locally. diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index ad67b668bb..147c460f3b 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -295,7 +295,7 @@ SurfaceHubThe data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace. diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md index b565989431..8d4bfbfc06 100644 --- a/windows/configuration/wcd/wcd-accountmanagement.md +++ b/windows/configuration/wcd/wcd-accountmanagement.md @@ -19,13 +19,13 @@ Use these settings to configure the Account Manager service. ## Applies to -| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [DeletionPolicy](#deletionpolicy) | | | | ✔️ | | -| [EnableProfileManager](#enableprofilemanager) | | | | ✔️ | | -| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | | ✔️ | | -| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | | ✔️ | | -| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | | ✔️ | | +| Settings | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [DeletionPolicy](#deletionpolicy) | | | ✔️ | | +| [EnableProfileManager](#enableprofilemanager) | | | ✔️ | | +| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | ✔️ | | +| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | ✔️ | | +| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | ✔️ | | >[!NOTE] >Although the AccountManagement settings are available in advanced provisioning for other editions, you should only use them for HoloLens devices. diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index f5ef92247d..a6462788e1 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -19,7 +19,7 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac ## Applies to -| Setting groups | Desktop editions | Surface Hub | HoloLens | IoT Core | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | | [Azure](#azure) | ✔️ | ✔️ | ✔️ | | | [ComputerAccount](#computeraccount) | ✔️ | ✔️ | | ✔️ | diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md index 4f78a97183..1116a54650 100644 --- a/windows/configuration/wcd/wcd-admxingestion.md +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -26,10 +26,10 @@ Starting in Windows 10, version 1703, you can import (*ingest*) select Group Pol ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | | | -| [ConfigOperations](#configoperations) | ✔️ | | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | | +| [ConfigOperations](#configoperations) | ✔️ | | | | ## ConfigADMXInstalledPolicy diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index af094faef4..36eb055038 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -19,10 +19,10 @@ Use this setting to configure single use (kiosk) devices. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AssignedAccessSettings](#assignedaccesssettings) | ✔️ | | | ✔️ | | -| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | ✔️ | | | ✔️ | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [AssignedAccessSettings](#assignedaccesssettings) | ✔️ | | ✔️ | | +| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | ✔️ | | ✔️ | | ## AssignedAccessSettings diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index f9b61ff048..3b57376dae 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -19,13 +19,13 @@ Use to configure browser settings that should only be set by OEMs who are part o ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AllowPrelaunch](#allowprelaunch) | | | ✔️ | | | -| [FavoriteBarItems](#favoritebaritems) | ✔️ | | | | | -| [Favorites](#favorites) | | ✔️ | | | | -| [PartnerSearchCode](#partnersearchcode) | ✔️ | ✔️ | ✔️ | | | -| [SearchProviders](#searchproviders) | | ✔️ | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [AllowPrelaunch](#allowprelaunch) | | ✔️ | | | +| [FavoriteBarItems](#favoritebaritems) | ✔️ | | | | +| [Favorites](#favorites) | | | | | +| [PartnerSearchCode](#partnersearchcode) | ✔️ | ✔️ | | | +| [SearchProviders](#searchproviders) | | | | | ## AllowPrelaunch diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index e7c8301aa9..56d5c63695 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -24,26 +24,26 @@ Use to configure settings for cellular data. ## Applies to - Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core - --- | :---: | :---: | :---: | :---: | :---: - PerDevice: [CellConfigurations](#cellconfigurations) | | ✔️ | | | | - PerDevice: [CellData](#celldata) | ✔️ | ✔️ | ✔️ | | - PerDevice: [CellUX](#cellux) | ✔️ | ✔️ | ✔️ | | - PerDevice: [CGDual](#cgdual) | | ✔️ | | | - PerDevice: [eSim](#esim) | ✔️ | ✔️ | ✔️ | | - PerDevice: [External](#external) | | ✔️ | | | - PerDevice: [General](#general) | | ✔️ | | | - PerDevice: [RCS](#rcs) | | ✔️ | | | - PerDevice: [SMS](#sms) | ✔️ | ✔️ | ✔️ | | - PerDevice: [UIX](#uix) | | ✔️ | | | - PerDevice: [UTK](#utk) | | ✔️ | | | - PerlMSI: [CellData](#celldata2) | | ✔️ | | | - PerIMSI: [CellUX](#cellux2) | | ✔️ | | | - PerIMSI: [General](#general2) | | ✔️ | | | - PerIMSI: [RCS](#rcs2) | | ✔️ | | | - PerIMSI: [SMS](#sms2) | ✔️ | ✔️ | ✔️ | | - PerIMSI: [UTK](#utk2) | | ✔️ | | | - PerIMSI: [VoLTE](#volte) | | ✔️ | | | + Setting groups | Windows client | Surface Hub | HoloLens | IoT Core + --- | :---: | :---: | :---: | :---: + PerDevice: [CellConfigurations](#cellconfigurations) | | | | | + PerDevice: [CellData](#celldata) | ✔️ | ✔️ | | + PerDevice: [CellUX](#cellux) | ✔️ | ✔️ | | + PerDevice: [CGDual](#cgdual) | | | | + PerDevice: [eSim](#esim) | ✔️ | ✔️ | | + PerDevice: [External](#external) | | | | + PerDevice: [General](#general) | | | | + PerDevice: [RCS](#rcs) | | | | + PerDevice: [SMS](#sms) | ✔️ | ✔️ | | + PerDevice: [UIX](#uix) | | | | + PerDevice: [UTK](#utk) | | | | + PerlMSI: [CellData](#celldata2) | | | | + PerIMSI: [CellUX](#cellux2) | | | | + PerIMSI: [General](#general2) | | | | + PerIMSI: [RCS](#rcs2) | | | | + PerIMSI: [SMS](#sms2) | ✔️ | ✔️ | | + PerIMSI: [UTK](#utk2) | | | | + PerIMSI: [VoLTE](#volte) | | | | ## PerDevice diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 323e7faf03..825f43c4c2 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -21,9 +21,9 @@ Use to configure settings for cellular connections. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | ## PerDevice diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index a30bcdeadc..ca41ffe27e 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -25,9 +25,9 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All setting groups | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All setting groups | ✔️ | ✔️ | ✔️ | ✔️ | ## CACertificates diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md index 0f31ecac6f..32bdc154b2 100644 --- a/windows/configuration/wcd/wcd-cleanpc.md +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -19,10 +19,10 @@ Use to remove user-installed and pre-installed applications, with the option to ## Applies to -| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| CleanPCRetainingUserData | ✔️ | | | | | -| CleanPCWithoutRetainingUserData | ✔️ | | | | | +| Settings | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| CleanPCRetainingUserData | ✔️ | | | | +| CleanPCWithoutRetainingUserData | ✔️ | | | | For each setting, the options are **Enable** and **Not configured**. diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index 8dc2911a9b..5c59173b68 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -19,9 +19,9 @@ Use to configure settings related to various types of phone connections. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | ✔️ | ✔️ | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | ✔️ | | | For each setting group: diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 2fdfe8372f..33b7de451b 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -19,14 +19,14 @@ Use to configure profiles that a user will connect with, such as an email accoun ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Email](#email) | ✔️ | ✔️ | ✔️ | | | -| [Exchange](#exchange) | ✔️ | ✔️ | ✔️ | | | -| [KnownAccounts](#knownaccounts) | ✔️ | ✔️ | ✔️ | | | -| [VPN](#vpn) | ✔️ | ✔️ | ✔️ | ✔️ | | -| [WiFiSense](#wifisense) | ✔️ | ✔️ | ✔️ | | | -| [WLAN](#wlan) | ✔️ | ✔️ | ✔️ | ✔️ | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Email](#email) | ✔️ | ✔️ | | | +| [Exchange](#exchange) | ✔️ | ✔️ | | | +| [KnownAccounts](#knownaccounts) | ✔️ | ✔️ | | | +| [VPN](#vpn) | ✔️ | ✔️ | ✔️ | | +| [WiFiSense](#wifisense) | ✔️ | ✔️ | | | +| [WLAN](#wlan) | ✔️ | ✔️ | ✔️ | | ## Email diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md index e8cf5a0b37..81597e49d4 100644 --- a/windows/configuration/wcd/wcd-countryandregion.md +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -19,8 +19,8 @@ Use to configure a setting that partners must customize to ship Windows devices ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| CountryCodeForExtendedCapabilityPrompts | ✔️ | ✔️ | ✔️ | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| CountryCodeForExtendedCapabilityPrompts | ✔️ | ✔️ | | | You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone). diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md index 464d3c8163..e18abe6ad1 100644 --- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -19,7 +19,7 @@ Do not use. Instead, use the [Personalization settings](wcd-personalization.md). ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md index 666109a375..eee860859f 100644 --- a/windows/configuration/wcd/wcd-developersetup.md +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -19,22 +19,20 @@ Use to unlock developer mode on HoloLens devices and configure authentication to ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [EnableDeveloperMode](#enabledevelopermode) | | | | ✔️ | | -| [AuthenticationMode](#authenticationmode) | | | | ✔️ | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [EnableDeveloperMode](#developersetupsettings-enabledevelopermode) | | | ✔️ | | +| [AuthenticationMode](#windowsdeviceportalsettings-authentication-mode) | | | ✔️ | | - ## DeveloperSetupSettings: EnableDeveloperMode When this setting is configured as **True**, the device is unlocked for developer functionality. - ## WindowsDevicePortalSettings: Authentication Mode When AuthenticationMode is set to **Basic Auth**, enter a user name and password to enable the device to connect to and authenticate with the Windows Device Portal. ## Related topics -- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens) \ No newline at end of file +- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens) diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index fc86909bc1..b233406d79 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -19,9 +19,9 @@ Use to identify the form factor of the device. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| DeviceForm | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| DeviceForm | ✔️ | ✔️ | | | Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization. diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 236416cf96..bb1692d17e 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -19,12 +19,12 @@ Use to configure device management settings. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Accounts](#accounts) | ✔️ | ✔️ | ✔️ | | | -| [PGList](#pglist) | ✔️ | ✔️ | ✔️ | | | -| [Policies](#policies) | ✔️ | ✔️ | ✔️ | | | -| [TrustedProvisioningSource](#trustedprovisioningsource) | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Accounts](#accounts) | ✔️ | ✔️ | | | +| [PGList](#pglist) | ✔️ | ✔️ | | | +| [Policies](#policies) | ✔️ | ✔️ | | | +| [TrustedProvisioningSource](#trustedprovisioningsource) | ✔️ | ✔️ | | | ## Accounts diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 3dfa2d7fe2..e72df83e2d 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -17,7 +17,7 @@ Do not use **DeviceUpdateCenter** settings at this time. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md index 39949ed4c4..31d0ed7b8c 100644 --- a/windows/configuration/wcd/wcd-dmclient.md +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -19,9 +19,9 @@ Use to specify enterprise-specific mobile device management configuration settin ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| UpdateManagementServiceAddress | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| UpdateManagementServiceAddress | ✔️ | ✔️ | | ✔️ | For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md index 79e2667cb2..aaa3c9a10e 100644 --- a/windows/configuration/wcd/wcd-editionupgrade.md +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -19,11 +19,11 @@ Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ChangeProductKey](#changeproductkey) | ✔️ | ✔️ | | | | -| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | ✔️ | ✔️ | | ✔️ | | -| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | ✔️ | ✔️ | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ChangeProductKey](#changeproductkey) | ✔️ | | | | +| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | ✔️ | | ✔️ | | +| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | ✔️ | | | | ## ChangeProductKey diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md index 4bc834f3ac..cd505cda87 100644 --- a/windows/configuration/wcd/wcd-firewallconfiguration.md +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -19,9 +19,9 @@ Use to enable AllJoyn router to work on public networks. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| EnableAllJoynOnPublicNetwork | | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| EnableAllJoynOnPublicNetwork | | | | ✔️ | Set to **True** or **False**. diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 0561b8d3f4..a854a53a49 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -19,9 +19,9 @@ Use these settings to configure the out-of-box experience (OOBE) to set up HoloL ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | ✔️ | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | ✔️ | | Setting | Description --- | --- diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md index cc594611bc..1eab5f086b 100644 --- a/windows/configuration/wcd/wcd-folders.md +++ b/windows/configuration/wcd/wcd-folders.md @@ -19,8 +19,8 @@ Use to add files to the device. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| PublicDocuments | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| PublicDocuments | ✔️ | ✔️ | | | Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder. diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md index 0db1c60a59..b8dc34d1e1 100644 --- a/windows/configuration/wcd/wcd-kioskbrowser.md +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -19,12 +19,12 @@ Use KioskBrowser settings to configure Internet sharing. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | | ✔️ | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | | ✔️ | >[!NOTE] ->To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser). +>To configure Kiosk Browser settings for Windows client, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser). Kiosk Browser settings | Use this setting to --- | --- diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md index 98ebd963b2..82adee0181 100644 --- a/windows/configuration/wcd/wcd-licensing.md +++ b/windows/configuration/wcd/wcd-licensing.md @@ -19,10 +19,10 @@ Use for settings related to Microsoft licensing programs. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✔️ | | | | | -| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✔️ | | | | +| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✔️ | | | | ## AllowWindowsEntitlementReactivation diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md index c0617f9b4a..a2989cead5 100644 --- a/windows/configuration/wcd/wcd-location.md +++ b/windows/configuration/wcd/wcd-location.md @@ -18,9 +18,9 @@ Use Location settings to configure location services. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](#enablelocation) | | | | | ✔️ | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [EnableLocation](#enablelocation) | | | | ✔️ | ## EnableLocation diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index b92e27c14e..51aacf0da3 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -18,11 +18,11 @@ Use for settings related to Maps. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ChinaVariantWin10](#chinavariantwin10) | ✔️ | ✔️ | ✔️ | | | -| [UseExternalStorage](#useexternalstorage) | ✔️ | ✔️ | ✔️ | | | -| [UseSmallerCache](#usesmallercache) | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ChinaVariantWin10](#chinavariantwin10) | ✔️ | ✔️ | | | +| [UseExternalStorage](#useexternalstorage) | ✔️ | ✔️ | | | +| [UseSmallerCache](#usesmallercache) | ✔️ | ✔️ | | | ## ChinaVariantWin10 diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index e19c13f19c..957bc2abd1 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -18,9 +18,9 @@ Use for settings related to NetworkProxy. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | ## AutoDetect diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index 80e515c380..177a49d274 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -18,9 +18,9 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | 1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**. 2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 4245590994..9110aeec1d 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -18,35 +18,21 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️ | | | | | -| [Desktop > HideOobe](#hided) | ✔️ | | | | | -| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | ✔️ | | | | -| [Mobile > HideOobe](#hidem) | | ✔️ | | | | - - - +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️ | | | | +| [Desktop > HideOobe](#hideoobe-for-desktop) | ✔️ | | | | ## EnableCortanaVoice Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE, or **False** to disable voice-over during OOBE. - ## HideOobe for desktop When set to **True**, it hides the interactive OOBE flow for Windows 10. ->[!NOTE] ->You must create a user account if you set the value to true or the device will not be usable. +> [!NOTE] +> You must create a user account if you set the value to true or the device will not be usable. When set to **False**, the OOBE screens are displayed. - -## EnforceEnterpriseProvisioning - -When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting. - -When set to **False**, it does not force the OOBE flow to the enterprise provisioning page. - - diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 08af869bd0..18b6259bdc 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -18,12 +18,12 @@ Use to configure settings to personalize a PC. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [DeployDesktopImage](#deploydesktopimage) | ✔️ | | | | | -| [DeployLockScreenImage](#deploylockscreenimage) | ✔️ | | | | | -| [DesktopImageUrl](#desktopimageurl) | ✔️ | | | | | -| [LockScreenImageUrl](#lockscreenimageurl) | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [DeployDesktopImage](#deploydesktopimage) | ✔️ | | | | +| [DeployLockScreenImage](#deploylockscreenimage) | ✔️ | | | | +| [DesktopImageUrl](#desktopimageurl) | ✔️ | | | | +| [LockScreenImageUrl](#lockscreenimageurl) | ✔️ | | | | ## DeployDesktopImage diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 1d9c4d1eee..f7629487bb 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -18,315 +18,316 @@ This section describes the **Policies** settings that you can configure in [prov ## AboveLock -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | ✔️ | | | | -| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | | | | +| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✔️ | | | | ## Accounts -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✔️ | ✔️ | | | | -| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✔️ | ✔️ | | ✔️ | | -| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✔️ | ✔️ | | | | -| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✔️ | | | | +| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✔️ | | ✔️ | | +| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✔️ | | | | +| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✔️ | | | | ## ApplicationDefaults -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | | ## ApplicationManagement -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | ✔️ | | | ✔️ | -| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | ✔️ | | | ✔️ | -| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | ✔️ | | | | | -| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | ✔️ | | | | -| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | ✔️ | | | | -| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | ✔️ | | | | -| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | | | -| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | ✔️ | | | ✔️ | -| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | ✔️ | | | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | | | ✔️ | +| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | | | ✔️ | +| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | ✔️ | | | | +| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | | | | +| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | | | | +| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | | | | +| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | | +| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | | | ✔️ | +| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | | | ✔️ | ## Authentication -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ | +| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | | ✔️ | +| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | ✔️ | ✔️ | | ✔️ | +| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | | ✔️ | ## BitLocker -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | | | | ## Bluetooth -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✔️ | ✔️ | ✔️ | ✔️ | +| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✔️ | ✔️ | ✔️ | ✔️ | +| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✔️ | ✔️ | ✔️ | ✔️ | +| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✔️ | ✔️ | ✔️ | ✔️ | ## Browser -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | | | -| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | ✔️ | | | | -[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | ✔️ | | | | -| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | | | -| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | | | -| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | | | -| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | | | -| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✔️ | | | ✔️ | | -| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✔️ | | | | | -| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✔️ | | | | | -| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✔️ | | | | | -| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✔️ | | | | | -| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | ✔️ | | ✔️ | -[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | ✔️ | | | | -| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | | | -| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | | | -| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | | | -| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | | | -| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | | | -| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | | | -| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | | | -| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | | | -[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | | | -| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | | | -| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | | | -| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | ✔️ | ✔️ | | | | -| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | | | -[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | ✔️ | | | | -| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✔️ | | | | | -| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | ✔️ | | ✔️ | -PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | | | -| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | | | -| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | ✔️ | | ✔️ | -[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | ✔️ | ✔️ | | | | -| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | | | -| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | | | -| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✔️ | | | | | -| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✔️ | | | | | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✔️ | | | | | -| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✔️ | | | | | -[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | | +| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | | | | +[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | | | | +| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | | +| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | | +| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | | +| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | | +| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✔️ | ✔️ | | ✔️ | +| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✔️ | ✔️ | | ✔️ | +| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✔️ | | ✔️ | | +| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✔️ | | | | +| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✔️ | ✔️ | | ✔️ | +| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✔️ | | | | +| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ | +| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✔️ | ✔️ | | ✔️ | +| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✔️ | | | | +| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✔️ | | | | +| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | | ✔️ | +[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | | | | +| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | | +| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ | +| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | | +| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | | +| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | | +| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | | +| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | | +| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | | +| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | | +[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | | +| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | | +| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | | +| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | ✔️ | | | | +| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | | +[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | | | | +| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | | ✔️ | +| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✔️ | ✔️ | | ✔️ | +| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✔️ | | | | +| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✔️ | ✔️ | | ✔️ | +| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | | ✔️ | +| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | | ✔️ | +PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | | +| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | | +| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | | ✔️ | +[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | ✔️ | | | | +| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | | +| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | | ✔️ | +| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | | +| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✔️ | | | | +| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✔️ | | | | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✔️ | | | | +| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✔️ | | | | +[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✔️ | | | | ## Camera -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | ✔️ | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | | | ## Connectivity -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | ✔️ | | | ✔️ | -| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | ✔️ | | | ✔️ | -| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ | ✔️ | | ✔️ | -| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ | ✔️ | | ✔️ | -| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | | ✔️ | +| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | | ✔️ | +| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ | | ✔️ | +| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | | | ✔️ | +| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | | | ✔️ | +| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlying connections VPN is allowed to use. |✔️ | ✔️ | | ✔️ | +| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ | | ✔️ | +| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ | | ✔️ | +| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✔️ | ✔️ | | ✔️ | ## CredentialProviders -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | ✔️ | | | | ## Cryptography -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | ✔️ | | | | -| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | | | | +| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | | | | ## Defender -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | | | -| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | | | -| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | | | -| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | | | -| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | | | -| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | | | -| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | | | -| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | | | -| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | | | -| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✔️ | | | | | -| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ | | | | | -| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✔️ | | | | | -| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | ✔️ | | | | | -| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | | | -| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | ✔️ | | | | | -| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | | | -| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | | | -| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | | | -| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | | | -| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | | | -| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✔️ | | | | | -| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✔️ | | | | | -| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | | | -| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | | | -| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | | +| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | | +| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | | +| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | | +| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | | +| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | | +| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | ✔️ | | | | +| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | | +| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | | +| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | | +| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✔️ | | | | +| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ | | | | +| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✔️ | | | | +| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defender scan (in percent). | ✔️ | | | | +| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | | +| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore during a scan. Separate each file type in the list by using \|. | ✔️ | | | | +| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | | +| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | | +| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | | +| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | | +| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | | +| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✔️ | | | | +| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✔️ | | | | +| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | | +| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | | +| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | | ## DeliveryOptimization -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✔️ | | | | | -| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✔️ | | | | | -| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✔️ | | | | | -| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✔️ | | | | | -| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✔️ | | | | | -| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✔️ | | | | | -| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✔️ | | | | | -| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ | | | | | -| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ | | | | | -| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ | | | | | -| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | ✔️ | | | | | -| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ | | | | | -| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ | | | | | -| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | ✔️ | | | | | -| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ | | | | | -| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | ✔️ | | | | | -| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ | | | | | -| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ | | | | | -| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✔️ | | | | | -| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✔️ | | | | +| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✔️ | | | | +| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✔️ | | | | +| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✔️ | | | | +| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✔️ | | | | +| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✔️ | | | | +| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✔️ | | | | +| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ | | | | +| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ | | | | +| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ | | | | +| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity using Delivery Optimization. | ✔️ | | | | +| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ | | | | +| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ | | | | +| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capacity in GB) for the device to use Peer Caching. | ✔️ | | | | +| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ | | | | +| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB required to use Peer Caching. | ✔️ | | | | +| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ | | | | +| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ | | | | +| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✔️ | | | | +| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | ## DeviceGuard -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✔️ | | | | ## DeviceLock -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | ✔️ | | | | -| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | ✔️ | | | | -| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | ✔️ | | ✔️ | | -|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✔️ | ✔️ | | ✔️ | | -| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✔️ | ✔️ | | ✔️ | | -| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✔️ | ✔️ | | ✔️ | | -| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✔️ | ✔️ | | ✔️ | | -| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✔️ | ✔️ | | ✔️ | | -| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✔️ | ✔️ | | ✔️ | | -| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✔️ | ✔️ | | ✔️ | | -| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✔️ | ✔️ | | ✔️ | | -| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | | | | +| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | | | | +| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | | ✔️ | | +|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✔️ | | ✔️ | | +| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✔️ | | ✔️ | | +| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✔️ | | ✔️ | | +| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✔️ | | ✔️ | | +| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✔️ | | ✔️ | | +| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✔️ | | ✔️ | | +| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✔️ | | ✔️ | | +| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✔️ | | ✔️ | | +| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | | | | ## DeviceManagement -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✔️ | | | | ## Experience -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | ✔️ | | | | -| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | ✔️ | | ✔️ | | -| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | ✔️ | | | | -| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | ✔️ | | | | -| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✔️ | ✔️ | | ✔️ | | -| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | ✔️ | | | | -| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | ✔️ | | | | -| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✔️ | ✔️ | | | | -| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✔️ | | | | | -| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | ✔️ | | | | -| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ | | | | | -| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | ✔️ | | | | -| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ | | | | | -| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✔️ | | | | | -| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | | | | | -| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ | | | | | -| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✔️ | | | | | -| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | | | | +| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | | ✔️ | | +| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | | | | +| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | | | | +| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✔️ | | ✔️ | | +| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | | | | +| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | | | | +| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✔️ | | | | +| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✔️ | | | | +| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | | | | +| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ | | | | +| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | | | | +| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggestions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ | | | | +| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✔️ | | | | +| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | | | | +| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ | | | | +| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✔️ | | | | +| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✔️ | | | | ## ExploitGuard -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | | | | ## Games -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✔️ | | | | ## KioskBrowser These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | | | -[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ | | | | | -[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | | | -[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | | | -[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | | | -[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | | | -[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | | +|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ | | | | +|[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | | +|[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | | +|[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | | +|[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | | +|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ | | | | To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: @@ -339,252 +340,253 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in ## LocalPoliciesSecurityOptions -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | | | -| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | | | -| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | | +| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | | +| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | | ## Location -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | ## Power -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | | | -| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | | | -| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | | | -| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✔️ | | | | | -| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✔️ | | | | | -| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✔️ | | | | | -| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✔️ | | | | | -| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✔️ | | | | | -| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✔️ | | | | | -| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✔️ | | | | | -| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✔️ | | | | | -| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✔️ | | | | | -| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✔️ | | | | | -| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✔️ | | | | | -| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✔️ | | | | | -| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✔️ | | | | | -| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✔️ | | | | | -| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | | | -| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | | | -| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | | | -| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | ✔️ | | | | | -| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | | +| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | | +| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | | +| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✔️ | | | | +| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✔️ | | | | +| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✔️ | | | | +| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✔️ | | | | +| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✔️ | | | | +| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✔️ | | | | +| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✔️ | | | | +| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✔️ | | | | +| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✔️ | | | | +| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✔️ | | | | +| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✔️ | | | | +| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✔️ | | | | +| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✔️ | | | | +| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✔️ | | | | +| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | | +| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | | +| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | | +| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | ✔️ | | | | +| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | ✔️ | | | | ## Privacy -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | ✔️ | | | | -| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | ✔️ | | ✔️ | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | | | | +| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | | ✔️ | | ## Search -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | ✔️ | | | | -[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | | | -| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | ✔️ | | | | -| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | ✔️ | | ✔️ | | -| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | ✔️ | | | | -| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consuemrs | ✔️ | ✔️ | | | | -| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | ✔️ | | | | -| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | ✔️ | | | | -| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | ✔️ | | | | -| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✔️ | ✔️ | | | | -| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✔️ | ✔️ | | | | -| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✔️ | ✔️ | | | | -| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | | | | +[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | | +| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | | | | +| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | | ✔️ | | +| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | | | | +| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consumers | ✔️ | | | | +| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | | | | +| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | | | | +| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | | | | +| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✔️ | | | | +| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✔️ | | | | +| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✔️ | | | | +| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | | | | ## Security -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | ✔️ | | | | -| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | ✔️ | | | | -| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✔️ | ✔️ | | ✔️ | +| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | | | | +| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✔️ | ✔️ | | ✔️ | +| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | | | | +| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✔️ | ✔️ | ✔️ | ✔️ | +| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✔️ | ✔️ | | ✔️ | +| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✔️ | | | | ## Settings -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | ✔️ | | | | -| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | ✔️ | | | | -| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | ✔️ | | ✔️ | | -| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | | | -[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | | | | +| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | | | | +| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | | ✔️ | | +| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | | +[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | | ## Start -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✔️ | | | | | -DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✔️ | | | | | -| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ | | | | | -| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ | | | | | -| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ | | | | | -| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | | | -| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | | | -| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | | | -| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | | | -| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | | | -| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | | | -| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | | | -| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✔️ | | | | | -| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✔️ | | | | | -| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✔️ | | | | | -| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✔️ | | | | | -| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✔️ | | | | | -| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✔️ | | | | | -| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✔️ | | | | | -| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✔️ | | | | | -| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloads shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✔️ | | | | +| DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✔️ | | | | +| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ | | | | +| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ | | | | +| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ | | | | +| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | | +| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | | +| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | | +| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | | +| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | | +| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | | +| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | | +| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✔️ | | | | +| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✔️ | | | | +| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✔️ | | | | +| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✔️ | | | | +| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✔️ | | | | +| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✔️ | | | | +| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✔️ | | | | +| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✔️ | | | | +| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✔️ | | | | ## System -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | ✔️ | | | | -| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | ✔️ | | | | -| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✔️ | ✔️ | | ✔️ | | -| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✔️ | ✔️ | | | | -ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✔️ | ✔️ | | | | -ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✔️ | ✔️ | | | | -| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | ✔️ | | | | -| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | ✔️ | | | | -| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | | | -| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | | | | +| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | | ✔️ | +| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | | | | +| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✔️ | ✔️ | | ✔️ | +| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✔️ | | ✔️ | | +| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✔️ | | | | +ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✔️ | | | | +ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✔️ | | | | +| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | | | | +| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | | | | +| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | | +| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | | | | ## TextInput -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | | | -| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | ✔️ | | | | | -| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | | | -| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | | | -| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | | | -| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✔️ | | | | | -| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | | | -| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | | | -| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | | | -| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | -| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | -| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | -| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | | +| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | ✔️ | | | | +| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | | +| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | | +| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | | +| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✔️ | | | | +| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | | +| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | | +| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | | +| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | +| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | +| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | +| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | ## TimeLanguageSettings -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | | | | ## Update -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:|:--------:| -| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | ✔️ | | ✔️ | | ✔️ | -| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | ✔️ | | ✔️ | -| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| PhoneUpdateRestrictions | Deprecated | | ✔️ | | | | -| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | ✔️ | | ✔️ | -| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +|---------|-------------|:--------------:|:-----------:|:--------:|:--------:| +| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ | +| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ | +| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ | +| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | | ✔️ | +| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ | +| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ | +| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | | ✔️ | +| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ | +| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ | +| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ | +| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windows Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ | +| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | | ✔️ | +| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ | +| PhoneUpdateRestrictions | Deprecated | | ✔️ | | | +| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | | ✔️ | +| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | | ✔️ | +| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | | ✔️ | +| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | | ✔️ | +| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | | ✔️ | +| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | | ✔️ | +| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | +| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ## WiFi -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✔️ | ✔️ | | | | -| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✔️ | ✔️ | | | | -| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | ✔️ | | | | -| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | ✔️ | | | | -| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✔️ | | | | +| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✔️ | | | | +| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | | | | +| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | | | | +| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✔️ | ✔️ | | ✔️ | ## WindowsInkWorkspace -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✔️ | | | | | -| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✔️ | | | | +| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✔️ | | | | ## WindowsLogon -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | | | + +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | | ## WirelessDisplay -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | | | | diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index 5904abff0c..867728c6b3 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -17,9 +17,9 @@ Use **Privacy** to configure settings for app activation with voice. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | ✔️ | | ✔️ | ## LetAppsActivateWithVoice @@ -27,4 +27,4 @@ Select between **User is in control**, **Force allow**, or **Force deny**. ## LetAppsActivateWithVoiceAboveLock -Select between **User is in control**, **Force allow**, or **Force deny**. \ No newline at end of file +Select between **User is in control**, **Force allow**, or **Force deny**. diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 51ca4daddb..dab5b939b7 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -19,9 +19,9 @@ Use ProvisioningCommands settings to install Windows desktop applications using ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md). diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 2cee7eec84..3dd25e3954 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -20,9 +20,9 @@ Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as t ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | ## AccountManagement diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index f378d5f114..ed3dbc5df6 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -19,9 +19,9 @@ Use SMISettings settings to customize the device with custom shell, suppress Win ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | ## All settings in SMISettings diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index cd1ddd0c36..b5e9674a75 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -19,12 +19,12 @@ Use Start settings to apply a customized Start screen to devices. ## Applies to -| Setting | Desktop editions | Surface Hub | HoloLens | IoT Core | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | | StartLayout | ✔️ | | | | >[!IMPORTANT] ->The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but shouldn't be used. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start). +>The StartLayout setting is available in the advanced provisioning for Windows 10, but shouldn't be used. For Windows client, use [Policies > StartLayout](wcd-policies.md#start). ## StartLayout diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md index 84b5fbc1cd..49815cf169 100644 --- a/windows/configuration/wcd/wcd-startupapp.md +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -19,8 +19,8 @@ Use StartupApp settings to configure the default app that will run on start for ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| Default | | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| Default | | | | ✔️ | Enter the [Application User Model ID (AUMID)](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md index 375b29173c..7d169c131d 100644 --- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -19,7 +19,7 @@ Documentation not available at this time. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | | ✔️ | diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md index bf25d4dfd0..d48b954521 100644 --- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -22,6 +22,6 @@ Use **StorageD3InModernStandby** to enable or disable low-power state (D3) durin ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | ✔️ | ✔️ | | ✔️ | \ No newline at end of file +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | ✔️ | | ✔️ | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index d0492b9ac5..edf2a819ed 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -24,9 +24,9 @@ Use SurfaceHubManagement settings to set the administrator group that will manag ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | ## GroupName diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index 6f1c67bfb8..e97c3ebf6e 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -19,9 +19,9 @@ Use TabletMode to configure settings related to tablet mode. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | ✔️ | | | ## ConvertibleSlateModePromptPreference diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index 0f3d22d642..f9f3708a13 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -19,9 +19,9 @@ Use TakeATest to configure the Take A Test app, a secure browser for test-taking ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | ## AllowScreenMonitoring diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 1efcbc613a..259df9fdd1 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -17,9 +17,9 @@ Use **Time** to configure settings for time zone setup for Windows 10, version ( ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | | ## ProvisionSetTimeZone diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index 2463513137..c5586d1c3a 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -40,9 +40,9 @@ The overlay doesn't mirror the entire volume. It dynamically grows to keep track ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | ✔️ | ## FilterEnabled diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index 2085c5e99a..0822937da4 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -22,13 +22,13 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [DeviceContextApp](#devicecontextapp) | ✔️ | | ✔️ | | | -| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | | ✔️ | | | -| [StoreInstall](#storeinstall) | ✔️ | ✔️ | ✔️ | | ✔️ | -| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | ✔️ | | ✔️ | -| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [DeviceContextApp](#devicecontextapp) | ✔️ | ✔️ | | | +| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | ✔️ | | | +| [StoreInstall](#storeinstall) | ✔️ | ✔️ | | ✔️ | +| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | | ✔️ | +| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | | ✔️ | ## DeviceContextApp diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index 0ae1ade853..625891ae05 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -20,10 +20,10 @@ Use UniversalAppUninstall settings to uninstall or remove Windows apps. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | | | -| [Uninstall](#uninstall) | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | | +| [Uninstall](#uninstall) | ✔️ | ✔️ | | ✔️ | ## RemoveProvisionedApp diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index 9b4fc26665..3eb9975d01 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -20,9 +20,9 @@ Allows an OEM to hide the USB option UI in Settings and all USB device errors. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | ✔️ | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | | ## HideUsbErrorNotifyOptionUI diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index 0f57e581fd..ce9f3ab265 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -20,10 +20,10 @@ Use WeakCharger settings to configure the charger notification UI. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | ✔️ | | | -| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | | | +| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | | | ## HideWeakChargerNotifyOptionUI diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index d000b9facc..fc0d8fbd54 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -19,9 +19,9 @@ Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [SecurityKeys](#securitykeys) | ✔️ | | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [SecurityKeys](#securitykeys) | ✔️ | | | | ## SecurityKeys diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index a4e82b4a0e..9307518bf1 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -20,9 +20,9 @@ Use WindowsTeamSettings settings to configure Surface Hub. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | ## Connect diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 2a746063eb..8b931bc90a 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -20,7 +20,7 @@ Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connecti ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | | | diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md index 48f7826dc9..e810f28679 100644 --- a/windows/configuration/wcd/wcd-workplace.md +++ b/windows/configuration/wcd/wcd-workplace.md @@ -20,9 +20,9 @@ Use Workplace settings to configure bulk user enrollment to a mobile device mana ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Enrollments](#enrollments) | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Enrollments](#enrollments) | ✔️ | ✔️ | | ✔️ | ## Enrollments diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 0d09e59143..952a247ff3 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -18,7 +18,7 @@ This section describes the settings that you can configure in [provisioning pack ## Edition that each group of settings applies to -| Setting group | Desktop editions | Surface Hub | HoloLens | IoT Core | +| Setting group | Windows client | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | | [AccountManagement](wcd-accountmanagement.md) | | | ✔️ | | | [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ | diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 90d0c547cb..4d8bf0ff3e 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -36,46 +36,13 @@ Windows 10 also introduces two additional scenarios that organizations should c So how do you choose? At a high level: -
-
+| Consider ... | For these scenarios | +|---|---| +| In-place upgrade | - When you want to keep all (or at least most) existing applications- - -- - - - - -Consider ... -For these scenarios -- -In-place upgrade --
-
When you want to keep all (or at least most) existing applications
-When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
-To migrate from Windows 10 to a later Windows 10 release
-
- -Traditional wipe-and-load --
-
When you upgrade significant numbers of applications along with the new Windows OS
-When you make significant device or operating system configuration changes
-When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
-When you migrate from Windows Vista or other previous operating system versions
-
- - -Dynamic provisioning --
-
For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required
-When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps
-
- When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
- To migrate from Windows 10 to a later Windows 10 release | +| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS
- When you make significant device or operating system configuration changes
- When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
- When you migrate from Windows Vista or other previous operating system versions | +| Dynamic provisioning | - For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required.
- When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps | + - ## Migration from previous Windows versions For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall. @@ -105,7 +72,7 @@ In either of these scenarios, you can make a variety of configuration changes to ## Stay up to date -For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will be deployed two times per year. You can deploy these upgrades by using a variety of methods: +For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods: - Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet. - Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 8ca699331f..a8e1aa8c67 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -103,7 +103,7 @@ sections: - question: | What are the servicing channels? answer: | - To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). + To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). - question: | What tools can I use to manage Windows as a service updates? diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index ae8c69d273..c5e07f7751 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,7 +1,7 @@ --- title: Introduction to the Windows Insider Program for Business description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: manage @@ -22,7 +22,7 @@ ms.topic: article > **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. +For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the General Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. The Windows Insider Program for Business gives you the opportunity to: @@ -35,7 +35,7 @@ The Windows Insider Program for Business gives you the opportunity to: Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. -The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. +The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. [](images/WIP4Biz_deployment.png)
Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. @@ -56,8 +56,8 @@ Along with exploring new features, you also have the option to validate your app - Get a head start on your Windows validation process - Identify issues sooner to accelerate your Windows deployment - Engage Microsoft earlier for help with potential compatibility issues -- Deploy Windows 10 Semi-Annual releases faster and more confidently -- Maximize the 18-month support Window that comes with each Semi-Annual release. +- Deploy Windows 10 General Availability Channel releases faster and more confidently +- Maximize the support Window that comes with each General Availability Channel release. |Objective |Feature exploration| |---------|---------| diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index f1d6c2488e..a9cda4ed31 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -1,7 +1,7 @@ --- title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -35,7 +35,7 @@ version of the software. We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. -- **Feature updates:** Released as soon as they become available. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. +- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. - **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). - **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. @@ -51,7 +51,7 @@ The first step of controlling when and how devices install updates is assigning ### General Availability Channel -In the General Availability Channel, feature updates are available as soon as Microsoft releases them. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. +In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. ### Windows Insider Program for Business diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 8bfab4700e..bb91408f6f 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -60,7 +60,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin 3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**. -  +  >[!NOTE] >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. @@ -73,13 +73,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin 7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**. -  +  8. In the **Configure Automatic Updates** dialog box, select **Enable**. 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. -  +  >[!IMPORTANT] > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations @@ -91,12 +91,12 @@ When using WSUS to manage updates on Windows client devices, start by configurin 11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. -12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**. +12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type `http://Your_WSUS_Server_FQDN:PortNumber`, and then select **OK**. >[!NOTE] >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. -  +  >[!NOTE] >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.) @@ -116,7 +116,7 @@ You can use computer groups to target a subset of devices that have specific qua 2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. -  +  3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**. @@ -144,7 +144,7 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput 2. Select both computers, right-click the selection, and then click **Change Membership**. -  +  3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**. @@ -162,7 +162,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr 3. In the search results, select the computers, right-click the selection, and then click **Change Membership**. -  +  4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**. @@ -179,7 +179,7 @@ The WSUS Administration Console provides a friendly interface from which you can 1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**. -  +  2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**. @@ -203,7 +203,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t 5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**. -  +  6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. @@ -213,7 +213,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t 9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added. -  +  > [!WARNING] > The target group name must match the computer group name. @@ -230,7 +230,7 @@ Now you’re ready to deploy this GPO to the correct computer security group for 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group. -  +  The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. @@ -239,7 +239,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS. >[!NOTE] ->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel (or General Availability Channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. +>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. **To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring** @@ -251,7 +251,7 @@ This example uses Windows 10, but the process is the same for Windows 11. 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes. -  +  4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**. @@ -265,7 +265,7 @@ This example uses Windows 10, but the process is the same for Windows 11. 8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**. -  +  9. In the **Automatic Approvals** dialog box, click **OK**. @@ -300,7 +300,7 @@ To simplify the manual approval process, start by creating a software update vie 5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**. -  +  Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring: @@ -308,21 +308,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s 2. Right-click the feature update you want to deploy, and then click **Approve**. -  +  3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**. -  +  4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. -  +  5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**. If the deployment is successful, you should receive a successful progress report. -  +  6. In the **Approval Progress** dialog box, click **Close**. diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 5947bdc897..543f0e96db 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -1,7 +1,7 @@ --- title: Overview of Windows as a service description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -90,9 +90,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid ### General Availability Channel -In the General Availability Channel, feature updates are available as soon as Microsoft releases them. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment. +In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment. -When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools). +When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools). > [!NOTE] @@ -120,7 +120,7 @@ The Long-term Servicing Channel is available only in the Windows 10 Enterprise L ### Windows Insider -For many IT pros, gaining visibility into feature updates early--before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. +For many IT pros, gaining visibility into feature updates early--before they’re available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started). @@ -130,7 +130,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled There are many tools you can use to service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates: -- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device. +- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the General Availability Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device. - **Windows Update for Business** includes control over update deferment and provides centralized management using Group Policy or MDM. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the General Availability Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Microsoft Intune. - **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. - **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index f9c793095d..59bb0e9b9a 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -1,14 +1,14 @@ --- title: Quick guide to Windows as a service (Windows 10) description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: high ms.author: jaimeo ms.reviewer: -manager: laurawi +manager: dougeby ms.topic: article --- @@ -25,12 +25,13 @@ Here is a quick guide to the most important concepts in Windows as a service. Fo ## Definitions Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** are released twice per year, around March and September. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. + +- **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. - **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - - The **General Availability Channel** receives feature updates as they become available. - - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. + - The **General Availability Channel** receives feature updates annually. + - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. See [Overview of Windows as a service](waas-overview.md) for more information. @@ -51,6 +52,6 @@ To stay up to date, deploy feature updates at an appropriate time after their re Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. -This process repeats with each new feature update as they become available. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles. +This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles. Other technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index cbf9133ff3..65880f7388 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -43,7 +43,7 @@ The General Availability Channel is the default servicing channel for all Window >The LTSC edition is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). >[!NOTE] ->Devices will automatically receive updates from the Semi-Annual Channel, unless they are configured to receive preview updates through the Windows Insider Program. +>Devices will automatically receive updates from the General Availability Channel, unless they are configured to receive preview updates through the Windows Insider Program. ## Enroll devices in the Windows Insider Program diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index c50df27515..600631905f 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -15,6 +15,7 @@ ms.topic: article --- # Windows 10 upgrade paths + **Applies to** - Windows 10 @@ -25,194 +26,73 @@ This topic provides a summary of available upgrade paths to Windows 10. You can If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded. -> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. -> -> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**. -> -> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. -> -> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). +- **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. + +- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options. + + You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`. + +- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. + +- **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). + +## Windows 10 + +✔ = Full upgrade is supported including personal data, settings, and applications. -✔ = Full upgrade is supported including personal data, settings, and applications.
D = Edition downgrade; personal data is maintained, applications and settings are removed. -
--
+--- +| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise | +|---|---|---|---|---|---| +| **Home** | | ✔ | ✔ | ✔ | | +| **Pro** | D | | ✔ | ✔ | ✔ | +| **Education** | | | | | D | +| **Enterprise** | | | | ✔ | | +--- + +## Windows 8.1 + +✔ = Full upgrade is supported including personal data, settings, and applications. + +D = Edition downgrade; personal data is maintained, applications and settings are removed. + +--- +| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise | +|---|---|---|---|---|---| +| **(Core)** | ✔ | ✔ | ✔ | ✔ | | +| **Connected** | ✔ | ✔ | ✔ | ✔ | | +| **Pro** | D | ✔ | ✔ | ✔ | ✔ | +| **Pro Student** | D | ✔ | ✔ | ✔ | ✔ | +| **Pro WMC** | D | ✔ | ✔ | ✔ | ✔ | +| **Enterprise** | | | | ✔ | ✔ | +| **Embedded Industry** | | | | | ✔ | + +--- + +## Windows 7 + +✔ = Full upgrade is supported including personal data, settings, and applications. + +D = Edition downgrade; personal data is maintained, applications and settings are removed. + +--- +| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise | +|---|---|---|---|---|---| +| **Starter** | ✔ | ✔ | ✔ | ✔ | | +| **Home Basic** | ✔ | ✔ | ✔ | ✔ | | +| **Home Premium** | ✔ | ✔ | ✔ | ✔ | | +| **Professional** | D | ✔ | ✔ | ✔ | ✔ | +| **Ultimate** | D | ✔ | ✔ | ✔ | ✔ | +| **Enterprise** | | | | ✔ | ✔ | + +--- ## Related Topics -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)- -Windows 10 Home -Windows 10 Pro -Windows 10 Pro Education -Windows 10 Education -Windows 10 Enterprise -- -Windows 7 -- -Starter -✔ -✔ -✔ -✔ -- - -Home Basic -✔ -✔ -✔ -✔ -- - -Home Premium -✔ -✔ -✔ -✔ -- - -Professional -D -✔ -✔ -✔ -✔ -- -Ultimate -D -✔ -✔ -✔ -✔ -- -Enterprise -- - - ✔ -✔ -- -Windows 8.1 -- -(Core) -✔ -✔ -✔ -✔ -- - -Connected -✔ -✔ -✔ -✔ -- - -Pro -D -✔ -✔ -✔ -✔ -- -Pro Student -D -✔ -✔ -✔ -✔ -- -Pro WMC -D -✔ -✔ -✔ -✔ -- -Enterprise -- - - ✔ -✔ -- -Embedded Industry -- - - - ✔ -- -Windows RT -- - - - - - -Windows Phone 8.1 -- - - - - - -Windows 10 -- -Home -- ✔ -✔ -✔ -- - -Pro -D -- ✔ -✔ -✔ -- -Education -- - - - D -- -Enterprise -- - - ✔ --
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md) \ No newline at end of file +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md) + +[Windows 10 edition upgrade](windows-10-edition-upgrades.md) diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 0e160f2943..3595e295f0 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -34,43 +34,12 @@ When you select a product, for example “Windows 10 Enterprise” or “Windows > [!NOTE] > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). -In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change. - -### Windows 10, version 1709 - -Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available. - -For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: - - - -When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. - -For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: - -
- -| Title | Classification | Description | -| --- | --- | --- | -| Feature update to Windows 10, version 1709, \
- -When you approve one of these packages, it applies to all of the editions. - -This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology. For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](./update/index.md). - +Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. ### Language packs -- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads. - **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. -See the following example for Windows 10, version 1709: - - - ### Features on demand [Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 4d6d62258a..46c4eef1ae 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -23,7 +23,7 @@ Applies to: - Windows 10 - Windows 11 -Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. +Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. @@ -44,9 +44,10 @@ For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 ## Subscription Activation for Windows 10/11 Enterprise -With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. +Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: + - Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. - Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. @@ -109,8 +110,6 @@ An issue has been identified with Hybrid Azure AD joined devices that have enabl To resolve this issue: -If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. - If the device is running Windows 10, version 1809 or later: - Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. @@ -166,7 +165,7 @@ The IT administrator assigns Windows 10 Enterprise to a user. See the following When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. -Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. +Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. The following figures summarize how the Subscription Activation model works: @@ -190,19 +189,7 @@ You are using Windows 10, version 1803 or above, and just purchased Windows 10 E All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. -#### Scenario #2 - -You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: - -```console -cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43 -``` - -The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. - -#### Scenario #3 +#### Scenario #2 Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. @@ -231,7 +218,7 @@ If you are running Windows 10, version 1803 or later, Subscription Activation wi If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. -If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: +If the computer has never been activated with a Pro key, run the following script. Copy the text below into a `.cmd` file, and run the file from an elevated command prompt: ```console @echo off @@ -249,6 +236,12 @@ changepk.exe /ProductKey %ProductKey% ) ``` +Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, you can use the following Windows PowerShell script instead: + +```powershell +$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;.\changepk.exe /Productkey $_ } else { Write-Host "No key present" } } +``` + ### Obtaining an Azure AD license Enterprise Agreement/Software Assurance (EA/SA): diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index b47dd4d0f2..ac69de04a3 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -47,7 +47,7 @@ These are the things you'll need to complete this lab: | | Description | |:---|:---| -|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.| +|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, General Availability Channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.| |**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.| |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.| |**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.| diff --git a/windows/manage/TOC.yml b/windows/manage/TOC.yml new file mode 100644 index 0000000000..892ce64421 --- /dev/null +++ b/windows/manage/TOC.yml @@ -0,0 +1,2 @@ +- name: Test + href: test.md diff --git a/windows/manage/test.md b/windows/manage/test.md new file mode 100644 index 0000000000..36d16a3f6b --- /dev/null +++ b/windows/manage/test.md @@ -0,0 +1,19 @@ +--- +title: Test +description: Test +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +author: dstrome +ms.author: dstrome +ms.reviewer: +manager: dstrome +ms.topic: article +--- + +# Test + +## Deployment planning + +This article provides guidance to help you plan for Windows 11 in your organization. + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 16e94c4bd9..a2c09c70c3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index fe2e57d529..2c105c0127 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -3029,22 +3029,6 @@ The following fields are available: - **winInetError** The HResult of the operation. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - ## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 27ad38b904..89feae1164 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -44,7 +44,6 @@ You can learn more about Windows functional and diagnostic data through these ar - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -4370,14 +4369,6 @@ The following fields are available: ## Other events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. ## Privacy consent logging events @@ -5473,6 +5464,17 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + ## Update Assistant events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e45351e107..e170e13dbe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -24,7 +24,6 @@ ms.reviewer: - Windows 10, version 1809 - The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -34,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -5790,36 +5789,6 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -7029,6 +6998,22 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## System Resource Usage Monitor events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index d9cf6ceee1..7cd176eb53 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: --- @@ -39,7 +39,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -277,6 +277,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -290,6 +292,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -306,6 +310,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -322,6 +328,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -335,6 +343,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -348,6 +358,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -362,6 +374,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -378,6 +392,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -391,6 +407,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -407,6 +425,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -423,6 +443,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -436,6 +458,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -449,6 +473,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -462,6 +488,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -469,17 +497,19 @@ The following fields are available: - **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. -- **DecisionSModeState_19H1** The total number of objects of this type present on this device. +- **DecisionSModeState_19H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS2** The total number of objects of this type present on this device. -- **DecisionSModeState_RS3** The total number of objects of this type present on this device. -- **DecisionSModeState_RS4** The total number of objects of this type present on this device. -- **DecisionSModeState_RS5** The total number of objects of this type present on this device. -- **DecisionSModeState_TH1** The total number of objects of this type present on this device. -- **DecisionSModeState_TH2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_RS1** The total number of objects of this type present on this device. +- **DecisionSModeState_RS2** The total number of objects of this type present on this device. +- **DecisionSModeState_RS3** The total number of objects of this type present on this device. +- **DecisionSModeState_RS4** The total number of objects of this type present on this device. +- **DecisionSModeState_RS5** The total number of objects of this type present on this device. +- **DecisionSModeState_TH1** The total number of objects of this type present on this device. +- **DecisionSModeState_TH2** The total number of objects of this type present on this device. - **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. @@ -487,6 +517,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -497,67 +529,79 @@ The following fields are available: - **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_TH1** The total number of objects of this type present on this device. - **DecisionSystemBios_TH2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. - **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. - **DecisionTest_19H1** The total number of objects of this type present on this device. - **DecisionTest_20H1** The total number of objects of this type present on this device. - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -565,28 +609,32 @@ The following fields are available: - **DecisionTest_RS5** The total number of objects of this type present on this device. - **DecisionTest_TH1** The total number of objects of this type present on this device. - **DecisionTest_TH2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. - **InventoryDeviceContainer** The total number of objects of this type present on this device. - **InventoryDevicePnp** The total number of objects of this type present on this device. @@ -616,6 +664,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -4237,6 +4287,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4614,13 +4665,13 @@ The following fields are available: - **Generic** A count of generic objects in cache. - **HwItem** A count of hwitem objects in cache. - **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health records in cache. -- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationDriver** A count of application driver objects in cache. - **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryApplicationFramework** A count of application framework objects in cache. +- **InventoryApplicationShortcut** A count of application shortcut objects in cache. - **InventoryDeviceContainer** A count of device container objects in cache. - **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. - **InventoryDeviceMediaClass** A count of device media objects in cache. @@ -4631,14 +4682,14 @@ The following fields are available: - **InventoryDriverPackage** A count of device objects in cache. - **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache - **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache. +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache. +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache. +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache. +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache. +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache. +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache. +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache. - **InventoryVersion** The version of the inventory binary generating the events. - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. @@ -5896,27 +5947,6 @@ The following fields are available: - **ModelName** Windows Mixed Reality device model name. - **SerialNumber** Windows Mixed Reality device serial number. - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -## Other events - ### Microsoft.ML.ONNXRuntime.ProcessInfo This event collects information when an application loads ONNXRuntime.dll. The data collected with this event is used to keep Windows product and service performing properly. @@ -5941,21 +5971,52 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. +## OneDrive events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. +This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. The following fields are available: -- **batteryData** Hardware level data about battery performance. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +## Update Assistant events ### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked @@ -6336,37 +6397,6 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -## Quality Update Assistant events - ### Microsoft.Windows.QualityUpdateAssistant.Applicability This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure. @@ -7037,6 +7067,19 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. ## System reset events diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md new file mode 100644 index 0000000000..c6578dcc77 --- /dev/null +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -0,0 +1,157 @@ +--- +title: Connection endpoints for Windows 10 Enterprise, version 21H2 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2. +keywords: privacy, manage connections to Microsoft, Windows 10 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/04/2021 +--- + +# Manage connection endpoints for Windows 10 Enterprise, version 21H2 + +**Applies to** + +- Windows 10 Enterprise, version 21H2 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. + +The following methodology was used to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 21H2 Enterprise connection endpoints + +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| +|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||TLSv1.2/HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|I-ring.msedge.net| +|||HTTPS|s-ring.msedge.net| +|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +|||HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|||HTTPS|fs.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| +|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| +|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| +||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| +|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTP|share.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|www.office.com| +|||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|officehomeblobs.blob.core.windows.net| +|||HTTPS|self.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| +|||TLSv1.2/HTTPS/HTTP|g.live.com| +|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms| +|||HTTPS| logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| +|||HTTPS|settings.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|||HTTPS/TLSv1.2|wdcp.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +|||HTTPS/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|||TLSv1.2/HTTPS/HTTP|arc.msn.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|dlassets-ssl.xboxlive.com| + + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 246577e395..728704a57e 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -36,7 +36,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 535d41535f..5c6f22d52c 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,6 +1,6 @@ --- description: Use this article to learn more about what required Windows diagnostic data is gathered. -title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) +title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 ms.mktglfcycl: manage @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 10/04/2021 +ms.date: --- -# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields +# Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields > [!IMPORTANT] @@ -26,10 +26,12 @@ ms.date: 10/04/2021 **Applies to** +- Windows 10, version 21H2 - Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 + Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -63,6 +65,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -76,6 +80,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -91,6 +97,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -106,6 +114,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -119,6 +129,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -132,6 +144,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -145,6 +159,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -160,6 +176,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -173,6 +191,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -188,6 +208,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -203,6 +225,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -216,6 +240,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -229,6 +255,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -242,6 +270,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -254,6 +284,8 @@ The following fields are available: - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. - **DecisionSModeState_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. - **DecisionSModeState_RS1** The total number of objects of this type present on this device. - **DecisionSModeState_RS2** The total number of objects of this type present on this device. - **DecisionSModeState_RS3** The total number of objects of this type present on this device. @@ -267,6 +299,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -281,6 +315,8 @@ The following fields are available: - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. @@ -293,6 +329,8 @@ The following fields are available: - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. @@ -305,6 +343,8 @@ The following fields are available: - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. @@ -317,6 +357,7 @@ The following fields are available: - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. @@ -329,6 +370,8 @@ The following fields are available: - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. @@ -341,6 +384,8 @@ The following fields are available: - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -353,6 +398,8 @@ The following fields are available: - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. @@ -365,6 +412,8 @@ The following fields are available: - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. @@ -395,6 +444,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -2446,6 +2497,7 @@ The following fields are available: - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -2978,6 +3030,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4375,7 +4428,7 @@ The following fields are available: - **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4618,195 +4671,16 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. +## Settings events -## Other events +### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. +This event tracks protocol launching for Setting's URIs. The data collected with this event is used to help keep Windows up to date. The following fields are available: -- **batteryData** Battery Performance data. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. -- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? -- **BPMHvtCountA** Current HVT count for BPM counter A. -- **BPMHvtCountB** Current HVT count for BPM counter B. -- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. -- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMTotalEngagedMinutes** Total time that BPM was engaged. -- **BPMTotalEntryEvents** Total number of times entering BPM. -- **ComponentId** Component ID. -- **FwVersion** FW version that created this log. -- **LogClass** Log Class. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** Log MGR version. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **ProductId** Product ID. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **cbTimeCell_Values** cb time for different cells. -- **ComponentId** Component ID. -- **cycleCount** Cycle Count. -- **deltaVoltage** Delta voltage. -- **eocChargeVoltage_Values** EOC Charge voltage values. -- **fullChargeCapacity** Full Charge Capacity. -- **FwVersion** FW version that created this log. -- **lastCovEvent** Last Cov event. -- **lastCuvEvent** Last Cuv event. -- **LogClass** LOG_CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG_MGR_VERSION. -- **manufacturerName** Manufacturer name. -- **maxChargeCurrent** Max charge current. -- **maxDeltaCellVoltage** Max delta cell voltage. -- **maxDischargeCurrent** Max discharge current. -- **maxTempCell** Max temp cell. -- **maxVoltage_Values** Max voltage values. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **minTempCell** Min temp cell. -- **minVoltage_Values** Min voltage values. -- **numberOfCovEvents** Number of Cov events. -- **numberOfCuvEvents** Number of Cuv events. -- **numberOfOCD1Events** Number of OCD1 events. -- **numberOfOCD2Events** Number of OCD2 events. -- **numberOfQmaxUpdates** Number of Qmax updates. -- **numberOfRaUpdates** Number of Ra updates. -- **numberOfShutdowns** Number of shutdowns. -- **pfStatus_Values** pf status values. -- **ProductId** Product ID. -- **qmax_Values** Qmax values for different cells. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **avgCurrLastRun** Average current last run. -- **avgPowLastRun** Average power last run. -- **batteryMSPN** BatteryMSPN -- **batteryMSSN** BatteryMSSN. -- **cell0Ra3** Cell0Ra3. -- **cell1Ra3** Cell1Ra3. -- **cell2Ra3** Cell2Ra3. -- **cell3Ra3** Cell3Ra3. -- **ComponentId** Component ID. -- **currentAtEoc** Current at Eoc. -- **firstPFstatusA** First PF status-A. -- **firstPFstatusB** First PF status-B. -- **firstPFstatusC** First PF status-C. -- **firstPFstatusD** First PF status-D. -- **FwVersion** FW version that created this log. -- **lastQmaxUpdate** Last Qmax update. -- **lastRaDisable** Last Ra disable. -- **lastRaUpdate** Last Ra update. -- **lastValidChargeTerm** Last valid charge term. -- **LogClass** LOG CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG MGR VERSION. -- **maxAvgCurrLastRun** Max average current last run. -- **maxAvgPowLastRun** Max average power last run. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **mfgInfoBlockB01** MFG info Block B01. -- **mfgInfoBlockB02** MFG info Block B02. -- **mfgInfoBlockB03** MFG info Block B03. -- **mfgInfoBlockB04** MFG info Block B04. -- **numOfRaDisable** Number of Ra disable. -- **numOfValidChargeTerm** Number of valid charge term. -- **ProductId** Product ID. -- **qmaxCycleCount** Qmax cycle count. -- **SeqNum** Sequence Number. -- **stateOfHealthEnergy** State of health energy. -- **stateOfHealthFcc** State of health Fcc. -- **stateOfHealthPercent** State of health percent. -- **TimeStamp** UTC seconds when log was created. -- **totalFwRuntime** Total FW runtime. -- **updateStatus** Update status. -- **Ver** Schema version. - - -### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 - -This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **HostResetCause** Host reset cause. -- **PchResetCause** PCH reset cause. -- **SamResetCause** SAM reset cause. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation - -This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantAppFilePath** Path to Update Assistant app. -- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. -- **UpdateAssistantExeName** Exe name running as Update Assistant. -- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. -- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. -- **UpdateAssistantIsPushing** True if the update is pushing to the device. -- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. -- **UpdateAssistantOsVersion** Update Assistant OS Version. -- **UpdateAssistantPartnerId** Partner Id for Assistant application. -- **UpdateAssistantReportPath** Path to report for Update Assistant. -- **UpdateAssistantStartTime** Start time for UpdateAssistant. -- **UpdateAssistantUiType** The type of UI whether default or OOBE. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. -- **UpdateAssistantVersionInfo** Information about Update Assistant application. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState - -This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. -- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat -- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. -- **UpdateAssistantStateDownloading** True at the start Downloading. -- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. -- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. -- **UpdateAssistantStateInstalling** True at the start of Installing. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **activationSource** Where activation is initiated. +- **uriString** URI of the launching protocol. ## Privacy consent logging events @@ -5411,6 +5285,182 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Battery Performance data. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **avgCurrLastRun** Average current last run. +- **avgPowLastRun** Average power last run. +- **batteryMSPN** BatteryMSPN +- **batteryMSSN** BatteryMSSN. +- **cell0Ra3** Cell0Ra3. +- **cell1Ra3** Cell1Ra3. +- **cell2Ra3** Cell2Ra3. +- **cell3Ra3** Cell3Ra3. +- **ComponentId** Component ID. +- **currentAtEoc** Current at Eoc. +- **firstPFstatusA** First PF status-A. +- **firstPFstatusB** First PF status-B. +- **firstPFstatusC** First PF status-C. +- **firstPFstatusD** First PF status-D. +- **FwVersion** FW version that created this log. +- **lastQmaxUpdate** Last Qmax update. +- **lastRaDisable** Last Ra disable. +- **lastRaUpdate** Last Ra update. +- **lastValidChargeTerm** Last valid charge term. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **maxAvgCurrLastRun** Max average current last run. +- **maxAvgPowLastRun** Max average power last run. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **mfgInfoBlockB01** MFG info Block B01. +- **mfgInfoBlockB02** MFG info Block B02. +- **mfgInfoBlockB03** MFG info Block B03. +- **mfgInfoBlockB04** MFG info Block B04. +- **numOfRaDisable** Number of Ra disable. +- **numOfValidChargeTerm** Number of valid charge term. +- **ProductId** Product ID. +- **qmaxCycleCount** Qmax cycle count. +- **SeqNum** Sequence Number. +- **stateOfHealthEnergy** State of health energy. +- **stateOfHealthFcc** State of health Fcc. +- **stateOfHealthPercent** State of health percent. +- **TimeStamp** UTC seconds when log was created. +- **totalFwRuntime** Total FW runtime. +- **updateStatus** Update status. +- **Ver** Schema version. + + +### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 + +This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HostResetCause** Host reset cause. +- **PchResetCause** PCH reset cause. +- **SamResetCause** SAM reset cause. ## Update Assistant events @@ -5888,6 +5938,90 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update. +- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. ## Update events diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 25fc676681..56331c2e27 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -17,7 +17,7 @@ items: - name: Required Windows 11 diagnostic data events and fields href: required-windows-11-diagnostic-events-and-fields.md - - name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields + - name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields href: required-windows-diagnostic-data-events-and-fields-2004.md - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields href: basic-level-windows-diagnostic-events-and-fields-1903.md @@ -47,6 +47,8 @@ href: essential-services-and-connected-experiences.md - name: Connection endpoints for Windows 11 href: manage-windows-11-endpoints.md + - name: Connection endpoints for Windows 10, version 21H2 + href: manage-windows-21h2-endpoints.md - name: Connection endpoints for Windows 10, version 21H1 href: manage-windows-21H1-endpoints.md - name: Connection endpoints for Windows 10, version 20H2 diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 11c346e2e5..32e8f6917f 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -19,6 +19,8 @@ ms.reviewer: Applies to: - Windows 11 +- Windows 10, version 21H2 +- Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 - Windows 10, version 1909 diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 038e7da093..3688226a4f 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -23,6 +23,7 @@ The Windows operating system improves most existing security features in the ope **See also:** +- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications) - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) @@ -58,9 +59,9 @@ Although CNG sounds like a mundane starting point, it illustrates some of the ad The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively: -• **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. +- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. -• **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. +- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. @@ -80,12 +81,11 @@ The adoption of new authentication technology requires that identity providers a Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1): -• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. +- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. -• **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. - - +- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. +:::image type="content" alt-text="TPM Capabilities." source="images/tpm-capabilities.png" lightbox="images/tpm-capabilities.png"::: *Figure 1: TPM Cryptographic Key Management* For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned. @@ -96,9 +96,9 @@ BitLocker provides full-volume encryption to protect data at rest. The most comm In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: -• **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. +- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. -• **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). +- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. @@ -122,12 +122,11 @@ TPM measurements are designed to avoid recording any privacy-sensitive informati The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot: -• **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process. +- **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process. When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. - - +:::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png"::: *Figure 2: Process used to create evidence of boot software and configuration using a TPM* @@ -149,17 +148,18 @@ The resulting solution provides defense in depth, because even if malware runs i The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features. +
|Feature | Benefits when used on a system with a TPM| |---|---| -| Platform Crypto Provider | • If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
• The TPM’s dictionary attack mechanism protects PIN values to use a certificate. -| Virtual Smart Card | • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.| -| Windows Hello for Business | • Credentials provisioned on a device cannot be copied elsewhere.
• Confirm a device’s TPM before credentials are provisioned. | -| BitLocker Drive Encryption | • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware. -|Device Encryption | • With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection. -| Measured Boot | • A hardware root of trust contains boot measurements that help detect malware during remote attestation. -| Health Attestation | • MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. -| Credential Guard | • Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization. +| Platform Crypto Provider |- If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
- The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
- Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
- Credentials provisioned on a device cannot be copied elsewhere.
- Confirm a device’s TPM before credentials are provisioned.
- Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
- With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
- A hardware root of trust contains boot measurements that help detect malware during remote attestation.
- MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
- Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index e401d19506..c5a7d50e68 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -32,7 +32,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a - Generate, store, and limit the use of cryptographic keys. -- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. +- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it. - Help ensure platform integrity by taking and storing security measurements. diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index a3f1fdac56..8cce54444d 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -15,32 +15,46 @@ metadata: audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual - ms.date: 09/06/2021 - ms.technology: windows-sec + ms.date: 11/10/2021 + ms.technology: mde title: Advanced security auditing FAQ - - - - This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. +summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) + - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) + - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) + - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) + - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) + - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) + - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-) + - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-) + - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-) + - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-) + - [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-) + - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-) + - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-) + - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-) + - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-) + - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) + - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) + - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index b7b6b4220a..176668f48e 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -14,6 +14,8 @@ - name: Windows 10 expanded: true items: + - name: What's new in Windows 10, version 21H2 + href: whats-new-windows-10-version-21H2.md - name: What's new in Windows 10, version 21H1 href: whats-new-windows-10-version-21H1.md - name: What's new in Windows 10, version 20H2 diff --git a/windows/whats-new/ltsc/TOC.yml b/windows/whats-new/ltsc/TOC.yml index aaabcc56ee..d7d88350ef 100644 --- a/windows/whats-new/ltsc/TOC.yml +++ b/windows/whats-new/ltsc/TOC.yml @@ -1,6 +1,8 @@ - name: Windows 10 Enterprise LTSC href: index.md items: + - name: What's new in Windows 10 Enterprise LTSC 2021 + href: whats-new-windows-10-2021.md - name: What's new in Windows 10 Enterprise LTSC 2019 href: whats-new-windows-10-2019.md - name: What's new in Windows 10 Enterprise LTSC 2016 diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index 7e088e312d..28bc3db429 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -8,7 +8,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.author: greglin -manager: laurawi +manager: dougeby ms.localizationpriority: low ms.topic: article --- @@ -22,6 +22,7 @@ ms.topic: article This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. +[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md) @@ -35,14 +36,15 @@ The following table summarizes equivalent feature update versions of Windows 10 | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | | Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 | +| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 21H2 | 11/16/2021 | ->[!NOTE] ->The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. +> [!NOTE] +> The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. ->[!IMPORTANT] ->The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). +> [!IMPORTANT] +> The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 256dad7a3a..4568258c47 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. ## Security @@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection, The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. - +[  ](../images/wdatp.png#lightbox) ##### Attack surface reduction @@ -188,26 +188,6 @@ This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocke This feature will soon be enabled on Olympia Corp as an optional feature. -#### Delivering BitLocker policy to AutoPilot devices during OOBE - -You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. - -For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. - -To achieve this: - -1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. - -2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. - - > [!IMPORTANT] - > The encryption policy must be assigned to **devices** in the group, not users. - -3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - > [!IMPORTANT] - > If the ESP is not enabled, the policy will not apply before encryption starts. - ### Identity protection Improvements have been added are to Windows Hello for Business and Credential Guard. @@ -288,24 +268,11 @@ A new security policy setting We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: - +> [!div class="mx-imgBorder"] +>  ## Deployment -### Windows Autopilot - -[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. - -Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information. - -Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. - -You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices). - -#### Autopilot Reset - -IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset). - ### MBR2GPT.EXE MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md new file mode 100644 index 0000000000..6364bc3fd1 --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -0,0 +1,248 @@ +--- +title: What's new in Windows 10 Enterprise LTSC 2021 +ms.reviewer: +manager: dougeby +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise LTSC 2021 + +**Applies to** +- Windows 10 Enterprise LTSC 2021 + +This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). + +> [!NOTE] +> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. + +Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. + +The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, 21H1, and 21H2. Details about these enhancements are provided below. + +## Lifecycle + +> [!IMPORTANT] +> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2) continues to have a [10 year lifecycle](/windows/iot/product-family/product-lifecycle?tabs=2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle. + +For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232). + +## Hardware security + +### System Guard + +[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets. + +In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO. + +With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. + +There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon. + +## Operating system security + +### System security + +[Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. + +### Encryption and data protection + +BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive. + +### Network security + +#### Windows Defender Firewall + +Windows Defender Firewall now offers the following benefits: + +**Reduce risk**: Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. + +**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. + +**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). + +The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows. + +Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on other tools. + +Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](/windows/wsl/); You can add rules for WSL process, just like for Windows processes. For more information, see [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97). + +### Virus and threat protection + +[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. +[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. + - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. + - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. +[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. + +**Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. + +**Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. + +**Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. + +**Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. + +**Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR). + +> [!NOTE] +> The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release. + +## Application security + +### App isolation + +[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. + +#### Microsoft Defender Application Guard + +[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: + - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. + - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + + To try this extension: + 1. Configure Application Guard policies on your device. + 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. + 3. Follow any additional configuration steps on the extension setup page. + 4. Reboot the device. + 5. Navigate to an untrusted site in Chrome and Firefox. + + **Dynamic navigation**: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. + +Application Guard performance is improved with optimized document opening times: +- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. +- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle. +- The performance of Robocopy is improved when copying files over 400 MB in size. + +[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020. + +**Application Guard now supports Office**: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device. + +### Application Control + +[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker. + - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. + - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
+ This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. + - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + +## Identity and privacy + +### Secured identity + +Windows Hello enhancements include: +- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. +- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. +- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. +- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. +- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +### Credential protection + +#### Windows Defender Credential Guard + +[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. + +### Privacy controls + +[Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone. + +## Cloud Services + +### Microsoft Endpoint Manager + +Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). + +### Configuration Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + +#### Microsoft Intune + +Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles. + +A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). + +Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). + +For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). + +### Mobile Device Management + +Mobile Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy. + +For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) + +Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios: +- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report. + +#### Key-rolling and Key-rotation + +This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. + +## Deployment + +### SetupDiag + +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +### Reserved storage + +[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. + +### Windows Assessment and Deployment Toolkit (ADK) + +A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2. + +### Microsoft Deployment Toolkit (MDT) + +For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes). + +### Windows Setup + +Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have improved language handling. + +Improvements in Windows Setup with this release also include: +- Reduced offline time during feature updates +- Improved controls for reserved storage +- Improved controls and diagnostics +- New recovery options + +For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464). + +## Microsoft Edge + +Microsoft Edge Browser support is now included in-box. + +### Microsoft Edge kiosk mode + +Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2). + +Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available: +- Digital/Interactive Signage experience - Displays a specific site in full-screen mode. +- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge. +- Both experiences are running a Microsoft Edge InPrivate session, which protects user data. + +## Windows Subsystem for Linux + +Windows Subsystem for Linux (WSL) is be available in-box. + +## Networking + +WPA3 H2E standards are supported for enhanced Wi-Fi security. + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 74eb1725e2..e3e4fd0740 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -35,21 +35,13 @@ This article lists new and updated features and content that are of interest to - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. -### Windows 10 Subscription Activation - -Windows 10 Education support has been added to Windows 10 Subscription Activation. - -With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation). - ### SetupDiag -[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4.1 is available. - -SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ### Reserved storage -[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. +[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. ## Servicing @@ -102,7 +94,7 @@ The draft release of the [security configuration baseline settings](/archive/blo - [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. To try this extension: 1. Configure WDAG policies on your device. diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md new file mode 100644 index 0000000000..2640bff4c6 --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -0,0 +1,78 @@ +--- +title: What's new in Windows 10, version 21H2 for IT pros +description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. +ms.reviewer: +manager: dougeby +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: mandia +author: MandiOhlinger +ms.localizationpriority: medium +ms.topic: article +--- + +# What's new in Windows 10, version 21H2 + +**Applies to**: + +- Windows 10, version 21H2 + +Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1. + +Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule: + +- **Windows 10 Professional**: Serviced for 24 months from the release date. +- **Windows 10 Enterprise**: Serviced for 36 months from the release date. + +Windows 10, version 21H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/2021/11/16/how-to-get-the-windows-10-november-2021-update/) and [IT tools to support Windows 10, version 21H2 blog](https://aka.ms/tools-for-21h2). + +Devices running Windows 10, versions 2004, 20H2, and 21H1 can update quickly to version 21H2 using an enablement package. For more information, see [Feature Update through Windows 10, version 21H2 Enablement Package](https://support.microsoft.com/help/5003791). + +To learn more about the status of the November 2021 Update rollout, known issues, and new information, see [Windows release health](/windows/release-health/). + +## Updates and servicing + +Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the Semi-Annual Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473). + +Quality updates are still installed monthly on patch Tuesday. + +For more information, see: + +- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions) +- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels) + +## GPU compute support for the Windows Subsystem for Linux + +Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows. + +For more information, and what GPU compute support means for you, see the [GPU accelerated ML training inside the Windows Subsystem for Linux blog post](https://blogs.windows.com/windowsdeveloper/2020/06/17/gpu-accelerated-ml-training-inside-the-windows-subsystem-for-linux/). + +## Get the latest CSPs + +The [KB5005101 September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers. + +These CSPs are built in to Windows 10, version 21H2. These settings are available in Endpoint Manager in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis. + +For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). + +## Apps appear local with Azure Virtual Desktop + +Azure virtual desktop is a Windows client OS hosted in the cloud, and runs virtual apps. You use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally. + +You can create Azure virtual desktops that run Windows 10 version 21H2. + +For more information, see: + +- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) +- [What's new in Azure Virtual Desktop?](/azure/virtual-desktop/whats-new) +- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal) + +## Wi-Fi 6E support + +Also known as 802.11ax, Wi-Fi 6E support is built in to Windows 10, version 21H2. Wi-Fi 6E has new channel frequencies that are dedicated to 6E devices, and is more performant for apps that use more bandwidth. + +## Related articles + +- [Release notes for Microsoft Edge Stable Channel](/deployedge/microsoft-edge-relnote-stable-channel) diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md index 4eafe42218..af406cd7e7 100644 --- a/windows/whats-new/windows-11-whats-new.md +++ b/windows/whats-new/windows-11-whats-new.md @@ -149,7 +149,7 @@ For more information on the security features you can configure, manage, and enf - Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues. - You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10). + You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10). In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in. - - -
| Attribute | -Description | -Supported browser | -
|---|---|---|
| allow-redirect | -A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
- Example - -<site url="contoso.com/travel"> - <open-in allow-redirect="true">IE11</open-in> -</site>-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. |
-Internet Explorer 11 and Microsoft Edge | -
| version | -Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | -Internet Explorer 11 and Microsoft Edge | -
| url | -Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
- Note -Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com. - Example - -<site url="contoso.com:8080"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site url="contoso.com/travel">In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.| Internet Explorer 11 and Microsoft Edge| +|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge| +|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<open-in allow-redirect="true">IE11 </open-in>
</site>
**Note**
Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com).
**Example**
<site url="contoso.com:8080">In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge| ### Deprecated attributes These v.1 version schema attributes have been deprecated in the v.2 version of the schema: -
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
| Deprecated attribute | -New attribute | -Replacement example | -
|---|---|---|
| <forceCompatView> | -<compat-mode> | -Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode> | -
| <docMode> | -<compat-mode> | -Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode> | -
| <doNotTransition> | -<open-in> | -Replace <doNotTransition="true"> with <open-in>none</open-in> | -
| <domain> and <path> | -<site> | -Replace:
--<emie> - <domain exclude="false">contoso.com</domain> -</emie>-With: - -<site url="contoso.com"/> - <compat-mode>IE8Enterprise</compat-mode> -</site>--AND- -Replace: - -<emie> - <domain exclude="true">contoso.com - <path exclude="false" forceCompatView="true">/about</path> - </domain> -</emie>-With: - -<site url="contoso.com/about"> - <compat-mode>IE7Enterprise</compat-mode> -</site> |
-
<doNotTransition="true"> with <open-in>none</open-in>| +|<domain> and <path>|<site>|Replace:
<emie>With:
<domain exclude="false">contoso.com</domain>
</emie>
<site url="contoso.com"/>**-AND-**
<compat-mode>IE8Enterprise</compat-mode>
</site>
Replace:
<emie>
<domain exclude="true">contoso.com
<path exclude="false" forceCompatView="true">/about</path>
</domain>
</emie>
With:
<site url="contoso.com/about">
<compat-mode>IE7Enterprise</compat-mode>
</site>| While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features. diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 65fbb8eaaf..8cef068687 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -63,17 +63,17 @@ Data is collected on the configuration characteristics of IE and the sites it br |Data point |IE11 |IE10 |IE9 |IE8 |Description | |------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| -|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | -|Domain | X | X | X | X |Top-level domain of the browsed site. | -|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | -|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | -|Document mode reason | X | X | | |The reason why a document mode was set by IE. | -|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | -|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | -|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | -|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | -|Number of visits | X | X | X | X |Number of times a site has been visited. | -|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | +|URL | ✔️ | ✔️ | ✔️ | ✔️ |URL of the browsed site, including any parameters included in the URL. | +|Domain | ✔️ | ✔️ | ✔️ | ✔️ |Top-level domain of the browsed site. | +|ActiveX GUID | ✔️ | ✔️ | ✔️ | ✔️ |GUID of the ActiveX controls loaded by the site. | +|Document mode | ✔️ | ✔️ | ✔️ | ✔️ |Document mode used by IE for a site, based on page characteristics. | +|Document mode reason | ✔️ | ✔️ | | |The reason why a document mode was set by IE. | +|Browser state reason | ✔️ | ✔️ | | |Additional information about why the browser is in its current state. Also called, browser mode. | +|Hang count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser hung. | +|Crash count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser crashed. | +|Most recent navigation failure (and count) | ✔️ | ✔️ | ✔️ | ✔️ |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | +|Number of visits | ✔️ | ✔️ | ✔️ | ✔️ |Number of times a site has been visited. | +|Zone | ✔️ | ✔️ | ✔️ | ✔️ |Zone used by IE to browse sites, based on browser settings. | >**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. @@ -205,68 +205,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you You can use both the WMI and XML settings individually or together: **To turn off Enterprise Site Discovery** -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -Off | -
| Turn on Site Discovery XML output | -Blank | -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -On | -
| Turn on Site Discovery XML output | -Blank | -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -Off | -
| Turn on Site Discovery XML output | -XML file path | -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -On | -
| Turn on Site Discovery XML output | -XML file path | -
| Element | -Description | -Supported browser | -
|---|---|---|
| <rules> | -Root node for the schema.
- Example - -<rules version="205"> - <emie> - <domain>contoso.com</domain> - </emie> -</rules> |
-Internet Explorer 11 and Microsoft Edge | -
| <emie> | -The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
- Example - -<rules version="205"> - <emie> - <domain>contoso.com</domain> - </emie> -</rules>--or- - For IPv6 ranges: <rules version="205"> - <emie> - <domain>[10.122.34.99]:8080</domain> - </emie> - </rules>--or- - For IPv4 ranges: <rules version="205"> - <emie> - <domain>10.122.34.99:8080</domain> - </emie> - </rules> |
-Internet Explorer 11 and Microsoft Edge | -
| <docMode> | -The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.
- Example - -<rules version="205"> - <docMode> - <domain docMode="7">contoso.com</domain> - </docMode> -</rules> |
-Internet Explorer 11 | -
| <domain> | -A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
- Example - -<emie> - <domain>contoso.com:8080</domain> -</emie> |
-Internet Explorer 11 and Microsoft Edge | -
| <path> | -A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
- Example - -<emie> - <domain exclude="true">fabrikam.com - <path exclude="false">/products</path> - </domain> -</emie> -Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules> |Internet Explorer 11 and Microsoft Edge | +|<emie> |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
**Example**<rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules>
**or**
For IPv6 ranges:
<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules>
**or**
For IPv4 ranges:<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules> | Internet Explorer 11 and Microsoft Edge | +|<docMode> |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.
**Example**
<rules version="205">
<docmode>
<domain docMode="7">contoso.com</domain>
</docmode>
</rules> |Internet Explorer 11 | +|<domain> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
**Example**
<emie>
<domain>contoso.com:8080</domain>
</emie> |Internet Explorer 11 and Microsoft Edge | +|<path> |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
**Example**
<emie>
<domain exclude="true">fabrikam.com
<path exclude="false">/products</path>
</domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge | ### Schema attributes This table includes the attributes used by the Enterprise Mode schema. -
| Attribute | -Description | -Supported browser | -
|---|---|---|
| version | -Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element. | -Internet Explorer 11 and Microsoft Edge | -
| exclude | -Specifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section. If this attribute is absent, it defaults to false.
- - Example: --<emie> - <domain exclude="false">fabrikam.com - <path exclude="true">/products</path> - </domain> -</emie> -Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not. |
-Internet Explorer 11 | -
| docMode | -Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
- - Example: --<docMode> - <domain>fabrikam.com - <path docMode="9">/products</path> - </domain> -</docMode> -Where https://fabrikam.com loads in IE11 document mode, but https://fabrikam.com/products uses IE9 document mode. |
-Internet Explorer 11 | -
| doNotTransition | -Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
- - Example: --<emie> - <domain doNotTransition="false">fabrikam.com - <path doNotTransition="true">/products</path> - </domain> -</emie> -Where https://fabrikam.com opens in the IE11 browser, but https://fabrikam.com/products loads in the current browser (eg. Microsoft Edge). |
-Internet Explorer 11 and Microsoft Edge | -
| forceCompatView | -Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
- - Example: --<emie> - <domain exclude="true">fabrikam.com - <path forceCompatView="true">/products</path> - </domain> -</emie> -Where https://fabrikam.com does not use Enterprise Mode, but https://fabrikam.com/products uses IE7 Enterprise Mode. |
-Internet Explorer 11 | -
**Example**
<emie>
<domain exclude="false">fabrikam.com
<path exclude="true">/products</path>
</domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
**Example**
<docMode>
<domain exclude="false">fabrikam.com
<path docMode="9">/products</path>
</domain>
</docMode>|Internet Explorer 11| +|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
**Example**<emie>
<domain doNotTransition="false">fabrikam.com
<path doNotTransition="true">/products</path>
</domain>
</emie>Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge| +|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
**Example**<emie>
<domain exclude="true">fabrikam.com
<path forcecompatview="true">/products</path>
</domain>
</emie>Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11| ### Using Enterprise Mode and document mode together If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 299c6c093f..825646b237 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -97,197 +97,31 @@ The following is an example of the v.2 version of the Enterprise Mode schema. ### Updated schema elements This table includes the elements used by the v.2 version of the Enterprise Mode schema. -
| Element | -Description | -Supported browser | -
|---|---|---|
| <site-list> | -A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
- Example - -<site-list version="205"> - <site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> - </site> -</site-list> |
-Internet Explorer 11 and Microsoft Edge | -
| <site> | -A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
- Example - -<site url="contoso.com"> - <compat-mode>default</compat-mode> - <open-in>none</open-in> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -You can also use the self-closing version, <url="contoso.com" />, which also sets: -
|
-Internet Explorer 11 and Microsoft Edge | -
| <compat-mode> | -A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
- Example - -<site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -Where: -
- - - |
-Internet Explorer 11 | -
| <open-in> | -A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
- Example - -<site url="contoso.com"> - <open-in>none</open-in> -</site> -Where: -
- - |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site-list version="205">| Internet Explorer 11 and Microsoft Edge | +|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
**Example**
<site url="contoso.com">
<compat-mode>default</compat-mode>
<open-in>none</open-in>
</site>
**or** For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
You can also use the self-closing version, <url="contoso.com" />, which also sets:
**Example**
**or**
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
</site>
For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
Where
**Examples**
<site url="contoso.com">
<open-in>none</open-in>
</site>
Where
| Attribute | -Description | -Supported browser | -
|---|---|---|
| allow-redirect | -A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
- Example - -<site url="contoso.com/travel"> - <open-in allow-redirect="true">IE11</open-in> -</site>-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. |
-Internet Explorer 11 and Microsoft Edge | -
| version | -Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | -Internet Explorer 11 and Microsoft Edge | -
| url | -Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
- Note -Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. - Example - -<site url="contoso.com:8080"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site url="contoso.com/travel">In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
<open-in allow-redirect="true">IE11 </open-in>
</site>
| DHA-Service type | -Description | -Operation cost | -
|---|---|---|
| Device Health Attestation – Cloud (DHA-Cloud) |
-DHA-Cloud is a Microsoft owned and operated DHA-Service that is: -
| No cost | - -
| Device Health Attestation – On Premise (DHA-OnPrem) |
-DHA-OnPrem refers to DHA-Service that is running on premises: -
|
-The operation cost of running one or more instances of Server 2016 on-premises. | -
| Device Health Attestation - Enterprise-Managed Cloud (DHA-EMC) |
-DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure. -
|
-The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. | -
The root node for the device HealthAttestation configuration service provider.
+ +The root node for the device HealthAttestation configuration service provider. **VerifyHealth** (Required) -Notifies the device to prepare a device health verification request.
-The supported operation is Execute.
+Notifies the device to prepare a device health verification request. + +The supported operation is Execute. **Status** (Required) -Provides the current status of the device health request.
-The supported operation is Get.
+Provides the current status of the device health request. -The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.
+The supported operation is Get. + +The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes. - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -658,42 +582,47 @@ HealthAttestation - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional) -Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-Boolean value. The supported operation is Replace.
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. + +Boolean value. The supported operation is Replace. **Certificate** (Required) -Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-Value type is b64. The supported operation is Get.
+Instructs the DHA-CSP to forward DHA-Data to the MDM server. + +Value type is b64. The supported operation is Get. **Nonce** (Required) -Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. -The supported operations are Get and Replace.
+The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. + +The supported operations are Get and Replace. **CorrelationId** (Required) -Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. + +Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get. **HASEndpoint** (Optional) -Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. + +Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com. **TpmReadyStatus** (Required) -Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-Value type is integer. The supported operation is Get.
-### **DHA-CSP integration steps** +Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. +Value type is integer. The supported operation is Get. + +### DHA-CSP integration steps The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): - 1. [Verify HTTPS access](#verify-access) 2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) 3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) @@ -705,14 +634,13 @@ The following list of validation and development tasks are required for integrat Each step is described in detail in the following sections of this topic. -### **Step 1: Verify HTTPS access** - +### Step 1: Verify HTTPS access Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service: -``` syntax +```console PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443 CONNECTED(000001A8) --- @@ -757,8 +685,7 @@ SSL-Session: Verify return code: 20 (unable to get local issuer certificate) ``` - -### **Step 2: Assign an enterprise trusted DHA-Service** +### Step 2: Assign an enterprise trusted DHA-Service There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) @@ -783,9 +710,7 @@ The following example shows a sample call that instructs a managed device to com ``` - -### **Step 3: Instruct client to prepare health data for verification** - +### Step 3: Instruct client to prepare health data for verification Send a SyncML call to start collection of the DHA-Data. @@ -811,7 +736,7 @@ The following example shows a sample call that triggers collection and verificat ``` -### **Step 4: Take action based on the clients response** +### Step 4: Take action based on the clients response After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. @@ -839,7 +764,7 @@ Here is a sample alert that is issued by DHA_CSP: ``` - If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). -### **Step 5: Instruct the client to forward health attestation data for verification** +### Step 5: Instruct the client to forward health attestation data for verification Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. @@ -876,39 +801,40 @@ Here is an example: ``` -### **Step 6: Forward device health attestation data to DHA-service** - +### Step 6: Forward device health attestation data to DHA-service In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). -When the MDM-Server receives the above data, it must: +When the MDM-Server receives the above data, it must: + - Log the CorrelationId it receives from the device (for future troubleshooting/reference), correlated to the call. - Decode the XML formatted data blob it receives from the device - Append the nonce that was generated by MDM service (add the nonce that was forwarded to the device in Step 5) to the XML structure that was forwarded by the device in following format: -```xml - -The date and time DHA-report was evaluated or issued to MDM.
+ +The date and time DHA-report was evaluated or issued to MDM. **AIKPresent** -When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
-If AIKPresent = True (1), then allow access.
+When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate. -If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+If AIKPresent = True (1), then allow access. + +If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -968,24 +896,27 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has hibernated or resumed.
+ +This attribute reports the number of times a PC device has hibernated or resumed. **RestartCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has rebooted
+ +This attribute reports the number of times a PC device has rebooted. **DEPPolicy** -A device can be trusted more if the DEP Policy is enabled on the device.
-Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+A device can be trusted more if the DEP Policy is enabled on the device. -DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on. + +DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** -If DEPPolicy = 1 (On), then allow access.
+If DEPPolicy = 1 (On), then allow access. -If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -993,15 +924,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. -If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. -If BitLockerStatus = 1 (On), then allow access.
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. -If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If BitLockerStatus = 1 (On), then allow access. + +If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1009,11 +941,12 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** -This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-If BootManagerRevListVersion = [CurrentVersion], then allow access.
+This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment. -If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If BootManagerRevListVersion = [CurrentVersion], then allow access. + +If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -1021,11 +954,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
-If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action. -If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. + +If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -1033,11 +967,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** -When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
-If SecureBootEnabled = 1 (True), then allow access.
+When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot. -If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If SecureBootEnabled = 1 (True), then allow access. + +If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1045,16 +980,17 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
-Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development. + +Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** -If BootdebuggingEnabled = 0 (False), then allow access.
+If BootdebuggingEnabled = 0 (False), then allow access. -If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1062,11 +998,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** -OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-If OSKernelDebuggingEnabled = 0 (False), then allow access.
+OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development. -If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If OSKernelDebuggingEnabled = 0 (False), then allow access. + +If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1074,15 +1011,16 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** -When code integrity is enabled, code execution is restricted to integrity verified code.
-Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+When code integrity is enabled, code execution is restricted to integrity verified code. -On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges. -If CodeIntegrityEnabled = 1 (True), then allow access.
+On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityEnabled = 1 (True), then allow access. + +If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1090,16 +1028,17 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
-Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. + +Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** -If TestSigningEnabled = 0 (False), then allow access.
+If TestSigningEnabled = 0 (False), then allow access. -If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -1107,33 +1046,36 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** -Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-If SafeMode = 0 (False), then allow access.
+Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. -If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
+If SafeMode = 0 (False), then allow access. + +If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** -Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-If WinPE = 0 (False), then allow access.
+Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup. -If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
+If WinPE = 0 (False), then allow access. + +If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation. **ELAMDriverLoaded** (Windows Defender) -To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
+To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. -If a device is expected to use a third-party antivirus program, ignore the reported state.
+In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot. -If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+If a device is expected to use a third-party antivirus program, ignore the reported state. -If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access. + +If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device: - Disallow all access - Disallow access to HBI assets @@ -1141,61 +1083,63 @@ Each of these are described in further detail in the following sections, along w **Bcdedit.exe /set {current} vsmlaunchtype auto** -If ELAMDriverLoaded = 1 (True), then allow access.
+If ELAMDriverLoaded = 1 (True), then allow access. -If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
+If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
-VSM can be enabled by using the following command in WMI or a PowerShell script:
+Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering. -bcdedit.exe /set {current} vsmlaunchtype auto
+VSM can be enabled by using the following command in WMI or a PowerShell script: -If VSMEnabled = 1 (True), then allow access.
-If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+`bcdedit.exe /set {current} vsmlaunchtype auto` + +If VSMEnabled = 1 (True), then allow access. +If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** -This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
+ +This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required. **BootAppSVN** -This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-If reported BootAppSVN equals an accepted value, then allow access.
+This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device -If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootAppSVN equals an accepted value, then allow access. + +If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** -This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-If reported BootManagerSVN equals an accepted value, then allow access.
+This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device. -If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootManagerSVN equals an accepted value, then allow access. + +If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** -This attribute identifies the version of the TPM that is running on the attested device.
-TPMVersion node provides to replies "1" and "2":
--
-
Based on the reply you receive from TPMVersion node:
+- 1 means TPM specification version 1.2 +- 2 means TPM specification version 2.0 + +Based on the reply you receive from TPMVersion node: - If reported TPMVersion equals an accepted value, then allow access. - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: @@ -1203,278 +1147,194 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
+The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer. -If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
+Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison. -If PCR[0] equals an accepted allow list value, then allow access.
+If your enterprise does not have a allow list of accepted PCR[0] values, then take no action. -If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+If PCR[0] equals an accepted allow list value, then allow access. + +If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** -SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs. -
If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is not present, or is an accepted allow-listed value, then allow access. + +If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** -This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+This attribute indicates the Code Integrity policy that is controlling the security of the boot environment. -If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
+If CIPolicy is not present, or is an accepted allow-listed value, then allow access. + +If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** -This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-If reported BootRevListInfo version equals an accepted value, then allow access.
+This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device. -If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootRevListInfo version equals an accepted value, then allow access. + +If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** -This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-If reported OSRevListInfo version equals an accepted value, then allow access.
+This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device. -If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported OSRevListInfo version equals an accepted value, then allow access. + +If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** -HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation. -### **Device HealthAttestation CSP status and error codes** +In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute. -| Error code | -Error name | -Description | -
|---|---|---|
| 0 | -HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED | -This is the initial state for devices that have never participated in a DHA-Session. | -
| 1 | -HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED | -This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. | -
| 2 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED | -This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. | -
| 3 | -HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE | -This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. | -
| 4 | -HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL | -Deprecated in Windows 10, version 1607. | -
| 5 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL | -DHA-CSP failed to get a claim quote. | -
| 6 | -HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY | -DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. | -
| 7 | -HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL | -DHA-CSP failed in retrieving Windows AIK | -
| 8 | -HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL | -Deprecated in Windows 10, version 1607. | -
| 9 | -HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION | -Invalid TPM version (TPM version is not 1.2 or 2.0) | -
| 10 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL | -Nonce was not found in the registry. | -
| 11 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL | -Correlation ID was not found in the registry. | -
| 12 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL | -Deprecated in Windows 10, version 1607. | -
| 13 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL | -Deprecated in Windows 10, version 1607. | -
| 14 | -HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL | -Failure in Encoding functions. (Extremely unlikely scenario) | -
| 15 | -HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL | -Deprecated in Windows 10, version 1607. | -
| 16 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML | -DHA-CSP failed to load the payload it received from DHA-Service | -
| 17 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML | -DHA-CSP received a corrupted response from DHA-Service. | -
| 18 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML | -DHA-CSP received an empty response from DHA-Service. | -
| 19 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK | -DHA-CSP failed in decrypting the AES key from the EK challenge. | -
| 20 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK | -DHA-CSP failed in decrypting the health cert with the AES key. | -
| 21 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB | -DHA-CSP failed in exporting the AIK Public Key. | -
| 22 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY | -DHA-CSP failed in trying to create a claim with AIK attestation data. | -
| 23 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB | -DHA-CSP failed in appending the AIK Pub to the request blob. | -
| 24 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT | -DHA-CSP failed in appending the AIK Cert to the request blob. | -
| 25 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE | -DHA-CSP failed to obtain a Session handle. | -
| 26 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE | -DHA-CSP failed to connect to the DHA-Service. | -
| 27 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE | -DHA-CSP failed to create an HTTP request handle. | -
| 28 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION | -DHA-CSP failed to set options. | -
| 29 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS | -DHA-CSP failed to add request headers. | -
| 30 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST | -DHA-CSP failed to send the HTTP request. | -
| 31 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE | -DHA-CSP failed to receive a response from the DHA-Service. | -
| 32 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS | -DHA-CSP failed to query headers when trying to get HTTP status code. | -
| 33 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE | -DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. | -
| 34 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE | -DHA-CSP received an empty response along with an HTTP error code from DHA-Service. | -
| 35 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER | -DHA-CSP failed to impersonate user. | -
| 36 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR | -DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. | -
| 0xFFFF | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN | -DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. | -
| 400 | -Bad_Request_From_Client | -DHA-CSP has received a bad (malformed) attestation request. | -
| 404 | -Endpoint_Not_Reachable | -DHA-Service is not reachable by DHA-CSP | -
| Value | -Description | -
|---|---|
ENTITLEMENT_SUCCESS |
-The device is allowed to connect to the server. |
-
ENTITLEMENT_FAILED |
-The device is not allowed to connect to the server |
-
ENTITLEMENT_UNAVAILABLE |
-The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement. |
-
| Update channel | -Primary purpose | -LOB Tattoo availability | -Default update channel for the products | -
|---|---|---|---|
| Current channel | -Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. | -March 9 2017 | -Visio Pro for Office 365 -Project Desktop Client -Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.) |
-
| Deferred channel | -Provide users with new features of Office only a few times a year. | -October 10 2017 | -Microsoft 365 Apps for enterprise | -
| First release for Deferred channel | -Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. | -June 13 2017 | -- |
Project Desktop Client
Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)| +|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise| +|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017|| diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index f2da07d4e2..6baab87be6 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -34,26 +34,12 @@ For additional information about Store for Business, see the TechNet topics in [ The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages. -
Application data |
-The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications. |
-
Licensing models |
-Offline vs. Online -Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services. -Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store. |
-
| Namespace | -Subcode | -Error | -Description | -HRESULT | -
|---|---|---|---|---|
s: |
-MessageFormat |
-MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
-Invalid message from the Mobile Device Management (MDM) server. |
-80180001 |
-
s: |
-Authentication |
-MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
-The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. |
-80180002 |
-
s: |
-Authorization |
-MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
-The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. |
-80180003 |
-
s: |
-CertificateRequest |
-MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR |
-The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. |
-80180004 |
-
s: |
-EnrollmentServer |
-MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
-The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. | -80180005 |
-
a: |
-InternalServiceFault |
-MENROLL_E_DEVICE_INTERNALSERVICE_ERROR |
-There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. |
-80180006 |
-
a: |
-InvalidSecurity |
-MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
-The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. |
-80180007 |
-
| Subcode | -Error | -Description | -HRESULT | -
|---|---|---|---|
DeviceCapReached |
-MENROLL_E_DEVICECAPREACHED |
-The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. |
-80180013 |
-
DeviceNotSupported |
-MENROLL_E_DEVICENOTSUPPORTED |
-The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. |
-80180014 |
-
NotSupported |
-MENROLL_E_NOT_SUPPORTED |
-Mobile Device Management (MDM) is generally not supported for this device. |
-80180015 |
-
NotEligibleToRenew |
-MENROLL_E_NOTELIGIBLETORENEW |
-The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. |
-80180016 |
-
InMaintenance |
-MENROLL_E_INMAINTENANCE |
-The Mobile Device Management (MDM) server states your account is in maintenance, try again later. |
-80180017 |
-
UserLicense |
-MENROLL_E_USER_LICENSE |
-There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. |
-80180018 |
-
InvalidEnrollmentData |
-MENROLL_E_ENROLLMENTDATAINVALID |
-The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. |
-80180019 |
-
| ADDRTYPE Value | -Connection Type | -
|---|---|
E164 |
-RAS connections |
-
APN |
-GPRS connections |
-
ALPHA |
-Wi-Fi-based connections |
-
| Elements | -Available | -
|---|---|
Parm-query |
-Yes -Note that some GPRS parameters will not necessarily contain the exact same value as was set. |
-
Noparm |
-Yes |
-
Nocharacteristic |
-Yes |
-
Characteristic-query |
-Yes |
-
Note that some GPRS parameters will not necessarily contain the exact same value as was set.| +|Noparm|Yes| +|Nocharacteristic|Yes| +|Characteristic-query|Yes| +## Related articles [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 7516e3c411..280b16b2cf 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -18,10 +18,11 @@ The Office configuration service provider (CSP) enables a Microsoft Office clien This CSP was added in Windows 10, version 1703. -For additional information, see [Office DDF](office-ddf.md). +For more information, see [Office DDF](office-ddf.md). The following shows the Office configuration service provider in tree format. -``` + +```console ./Vendor/MSFT Office ----Installation @@ -46,6 +47,7 @@ Office ------------Install ------------Status ``` + **./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office** The root node for the Office configuration service provider. @@ -78,7 +80,7 @@ Behavior: - When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it. - When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values: - When status = 0: 70 (succeeded) - - When status != 0: 60 (failed) + - When status!= 0: 60 (failed) **Installation/CurrentStatus** Returns an XML of current Office 365 installation status on the device. @@ -151,140 +153,22 @@ To get the current status of Office 365 on the device. ## Status code -
| Status | -Description | -Comment | -
|---|---|---|
| 0 | -Installation succeeded | -OK | -
| 997 | -Installation in progress | -- |
| 13 | -ERROR_INVALID_DATA
- Cannot verify signature of the downloaded Office Deployment Tool (ODT) |
-Failure | -
| 1460 | -ERROR_TIMEOUT
- Failed to download ODT |
-Failure | -
| 1602 | -ERROR_INSTALL_USEREXIT
- User cancelled the installation |
-Failure | -
| 1603 | -ERROR_INSTALL_FAILURE
- Failed any pre-req check. -
|
-Failure | -
| 17000 | -ERROR_PROCESSPOOL_INITIALIZATION
- Failed to start C2RClient |
-Failure | -
| 17001 | -ERROR_QUEUE_SCENARIO
- Failed to queue installation scenario in C2RClient |
-Failure | -
| 17002 | -ERROR_COMPLETING_SCENARIO
- Failed to complete the process. Possible reasons: -
|
-Failure | -
| 17003 | -ERROR_ANOTHER_RUNNING_SCENARIO
- Another scenario is running |
-Failure | -
| 17004 | -ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
- Possible reasons: -
|
-Failure | -
| 17005 | -ERROR_SCENARIO_CANCELLED_AS_PLANNED | -Failure | -
| 17006 | -ERROR_SCENARIO_CANCELLED
- Blocked update by running apps |
-Failure | -
| 17007 | -ERROR_REMOVE_INSTALLATION_NEEDED
- The client is requesting client clean up in a "Remove Installation" scenario |
-Failure | -
| 17100 | -ERROR_HANDLING_COMMAND_LINE
- C2RClient command line error |
-Failure | -
| 0x80004005 | -E_FAIL
- ODT cannot be used to install Volume license |
-Failure | -
| 0x8000ffff | -E_UNEXPECTED
- Tried to uninstall when there is no C2R Office on the machine. |
-Failure | -
Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure| +|1460|ERROR_TIMEOUT
Failed to download ODT|Failure| +|1602|ERROR_INSTALL_USEREXIT
User canceled the installation|Failure| +|1603|ERROR_INSTALL_FAILURE
Failed any pre-req check.