diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 81696cd310..2f50152758 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15654,6 +15654,11 @@ "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md", @@ -16069,6 +16074,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/gov", + "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md", diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md index 0257a9db03..5c29be5126 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md @@ -10,9 +10,7 @@ ms.prod: internet-explorer ms.technology: ms.topic: kb-support ms.custom: CI=111020 -ms.localizationpriority: Normal -# localization_priority: medium -# ms.translationtype: MT +ms.localizationpriority: medium ms.date: 01/23/2020 --- # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros diff --git a/education/docfx.json b/education/docfx.json index 809a2da28f..8ba1394c6d 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -7,7 +7,8 @@ "**/**.yml" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], @@ -19,7 +20,8 @@ "**/*.svg" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 09bd474c3e..abbb5fac56 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 4af9868736..c27a78fa4c 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -17,17 +17,17 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution. +This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution. ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. -## Known Issues +## Known issues None -## Data Collection +## Data collection See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md). @@ -35,11 +35,11 @@ See [Advanced troubleshooting 802.1X authentication data collection](data-collec Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications. -NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy). +NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article. -Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. +Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. -In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it. +In the event message, scroll to the very bottom, and then check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. ![example of an audit failure](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

@@ -47,35 +47,35 @@ In the event message, scroll to the very bottom, and check the [Reason Code](htt ![example of an audit success](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
-‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. +‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. -On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example: +On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: ![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) -Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). +Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. -First, validate the type of EAP method being used: +First, validate the type of EAP method that's used: ![eap authentication type comparison](images/comparisontable.png) -If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section. +If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section. ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) -The CAPI2 event log will be useful for troubleshooting certificate-related issues. -This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**. +The CAPI2 event log is useful for troubleshooting certificate-related issues. +By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**. ![screenshot of event viewer](images/capi.png) -The following article explains how to analyze CAPI2 event logs: +For information about how to analyze CAPI2 event logs, see [Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). -When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: +When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication: ![authenticator flow chart](images/authenticator_flow_chart.png) -If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples: +If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples: ![client-side packet capture data](images/clientsidepacket_cap_data.png) *Client-side packet capture data*

@@ -85,16 +85,16 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both ‎ > [!NOTE] -> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below. +> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/), see the instructions under the **Help** menu in Network Monitor. Here's an example: ![ETL parse](images/etl.png) ## Audit policy -NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. +By default, NPS audit policy (event logging) for connection success and failure is enabled. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. View the current audit policy settings by running the following command on the NPS server: -``` +```console auditpol /get /subcategory:"Network Policy Server" ``` @@ -106,13 +106,12 @@ Logon/Logoff Network Policy Server Success and Failure -If it shows ‘No auditing’, you can run this command to enable it: - -``` +If it says, "No auditing," you can run this command to enable it: +```console auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable ``` -Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**. +Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**. ## Additional references diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index f25c37dce5..13ee43e312 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -63,7 +63,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu 4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. > [!TIP] - > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. + > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. > [!Note] > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index ffd1c9d266..c81879ba3f 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index dc31960057..2950a6c6d9 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -19,13 +19,13 @@ ms.topic: article - Windows 10, Windows Server 2016 -You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. -To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. +You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. >[!Note] >Each server that you want to manage access to the Settings App must be patched. -To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management. +If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra). This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. @@ -39,7 +39,7 @@ Policy paths: ## Configuring the Group Policy -The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). >[!NOTE] > When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 8ff993ef33..e875d5d3a7 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -175,6 +175,7 @@ #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) +#### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) @@ -198,30 +199,39 @@ #### [ADMX_nca](policy-csp-admx-nca.md) #### [ADMX_NCSI](policy-csp-admx-ncsi.md) #### [ADMX_Netlogon](policy-csp-admx-netlogon.md) +#### [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md) #### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) #### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) #### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +#### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) #### [ADMX_Reliability](policy-csp-admx-reliability.md) #### [ADMX_Scripts](policy-csp-admx-scripts.md) #### [ADMX_sdiageng](policy-csp-admx-sdiageng.md) #### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) +#### [ADMX_Sensors](policy-csp-admx-sensors.md) #### [ADMX_Servicing](policy-csp-admx-servicing.md) #### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) #### [ADMX_Sharing](policy-csp-admx-sharing.md) #### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) #### [ADMX_Smartcard](policy-csp-admx-smartcard.md) #### [ADMX_Snmp](policy-csp-admx-snmp.md) +#### [ADMX_StartMenu](policy-csp-admx-startmenu.md) +#### [ADMX_Taskbar](policy-csp-admx-taskbar.md) #### [ADMX_tcpip](policy-csp-admx-tcpip.md) #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) #### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) #### [ADMX_W32Time](policy-csp-admx-w32time.md) +#### [ADMX_WCM](policy-csp-admx-wcm.md) #### [ADMX_WinCal](policy-csp-admx-wincal.md) #### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) #### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) +#### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +#### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) @@ -230,7 +240,7 @@ #### [Audit](policy-csp-audit.md) #### [Authentication](policy-csp-authentication.md) #### [Autoplay](policy-csp-autoplay.md) -#### [Bitlocker](policy-csp-bitlocker.md) +#### [BitLocker](policy-csp-bitlocker.md) #### [BITS](policy-csp-bits.md) #### [Bluetooth](policy-csp-bluetooth.md) #### [Browser](policy-csp-browser.md) @@ -275,6 +285,7 @@ #### [MixedReality](policy-csp-mixedreality.md) #### [MSSecurityGuide](policy-csp-mssecurityguide.md) #### [MSSLegacy](policy-csp-msslegacy.md) +#### [Multitasking](policy-csp-multitasking.md) #### [NetworkIsolation](policy-csp-networkisolation.md) #### [Notifications](policy-csp-notifications.md) #### [Power](policy-csp-power.md) diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 515e6883b2..556ff58e7a 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -16,6 +16,13 @@ ms.date: 10/19/2020 This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues are not listed. +## November 2020 + +|New or updated article | Description| +|--- | ---| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode | + ## October 2020 |New or updated article | Description| @@ -365,7 +372,7 @@ This article lists new and updated articles for the Mobile Device Management (MD -Bitlocker CSP +BitLocker CSP

Added new node AllowStandardUserEncryption in Windows 10, version 1809.

diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 79545b45cc..4f516e8c19 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -12,15 +12,17 @@ ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. - If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: +The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. + If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: + - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. -- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to - Real-time solution - MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used -**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator. +**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 31a3184bdb..15c29f831f 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -26,7 +26,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s |New or updated article|Description| |-----|-----| -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) | +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 20H2:
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode | | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
- Settings/AllowWindowsDefenderApplicationGuard | ## What’s new in MDM for Windows 10, version 2004 @@ -500,8 +501,8 @@ No. Only one MDM is allowed. Entry | Description --------------- | -------------------- What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | -What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. | -How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. | +What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.| +How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.| ## Change history for MDM documentation diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a26052c419..8ede74a7a6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -42,6 +42,24 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) +- [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) +- [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) +- [ADMX_Bits/BITS_DisablePeercachingServer](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingserver) +- [ADMX_Bits/BITS_EnablePeercaching](./policy-csp-admx-bits.md#admx-bits-bits-enablepeercaching) +- [ADMX_Bits/BITS_MaxBandwidthServedForPeers](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthservedforpeers) +- [ADMX_Bits/BITS_MaxBandwidthV2_Maintenance](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-maintenance) +- [ADMX_Bits/BITS_MaxBandwidthV2_Work](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-work) +- [ADMX_Bits/BITS_MaxCacheSize](./policy-csp-admx-bits.md#admx-bits-bits-maxcachesize) +- [ADMX_Bits/BITS_MaxContentAge](./policy-csp-admx-bits.md#admx-bits-bits-maxcontentage) +- [ADMX_Bits/BITS_MaxDownloadTime](./policy-csp-admx-bits.md#admx-bits-bits-maxdownloadtime) +- [ADMX_Bits/BITS_MaxFilesPerJob](./policy-csp-admx-bits.md#admx-bits-bits-maxfilesperjob) +- [ADMX_Bits/BITS_MaxJobsPerMachine](./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine) +- [ADMX_Bits/BITS_MaxJobsPerUser](./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser) +- [ADMX_Bits/BITS_MaxRangesPerFile](./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile) +- [ADMX_CipherSuiteOrder/SSLCipherSuiteOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslciphersuiteorder) +- [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder) +- [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1) +- [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) @@ -121,6 +139,110 @@ ms.date: 10/08/2020 - [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb) - [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author) - [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins) +- [ADMX_MMCSnapins/MMC_ADMComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-1) +- [ADMX_MMCSnapins/MMC_ADMComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-2) +- [ADMX_MMCSnapins/MMC_ADMUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-1) +- [ADMX_MMCSnapins/MMC_ADMUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-2) +- [ADMX_MMCSnapins/MMC_ADSI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-adsi) +- [ADMX_MMCSnapins/MMC_ActiveDirDomTrusts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirdomtrusts) +- [ADMX_MMCSnapins/MMC_ActiveDirSitesServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirsitesservices) +- [ADMX_MMCSnapins/MMC_ActiveDirUsersComp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activediruserscomp) +- [ADMX_MMCSnapins/MMC_AppleTalkRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-appletalkrouting) +- [ADMX_MMCSnapins/MMC_AuthMan](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-authman) +- [ADMX_MMCSnapins/MMC_CertAuth](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauth) +- [ADMX_MMCSnapins/MMC_CertAuthPolSet](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauthpolset) +- [ADMX_MMCSnapins/MMC_Certs](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certs) +- [ADMX_MMCSnapins/MMC_CertsTemplate](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certstemplate) +- [ADMX_MMCSnapins/MMC_ComponentServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-componentservices) +- [ADMX_MMCSnapins/MMC_ComputerManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-computermanagement) +- [ADMX_MMCSnapins/MMC_ConnectionSharingNAT](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-connectionsharingnat) +- [ADMX_MMCSnapins/MMC_DCOMCFG](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dcomcfg) +- [ADMX_MMCSnapins/MMC_DFS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dfs) +- [ADMX_MMCSnapins/MMC_DHCPRelayMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dhcprelaymgmt) +- [ADMX_MMCSnapins/MMC_DeviceManager_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-1) +- [ADMX_MMCSnapins/MMC_DeviceManager_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-2) +- [ADMX_MMCSnapins/MMC_DiskDefrag](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskdefrag) +- [ADMX_MMCSnapins/MMC_DiskMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskmgmt) +- [ADMX_MMCSnapins/MMC_EnterprisePKI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-enterprisepki) +- [ADMX_MMCSnapins/MMC_EventViewer_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-1) +- [ADMX_MMCSnapins/MMC_EventViewer_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-2) +- [ADMX_MMCSnapins/MMC_EventViewer_3](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-3) +- [ADMX_MMCSnapins/MMC_EventViewer_4](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-4) +- [ADMX_MMCSnapins/MMC_FAXService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-faxservice) +- [ADMX_MMCSnapins/MMC_FailoverClusters](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-failoverclusters) +- [ADMX_MMCSnapins/MMC_FolderRedirection_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-1) +- [ADMX_MMCSnapins/MMC_FolderRedirection_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-2) +- [ADMX_MMCSnapins/MMC_FrontPageExt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-frontpageext) +- [ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicymanagementsnapin) +- [ADMX_MMCSnapins/MMC_GroupPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicysnapin) +- [ADMX_MMCSnapins/MMC_GroupPolicyTab](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicytab) +- [ADMX_MMCSnapins/MMC_HRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-hra) +- [ADMX_MMCSnapins/MMC_IAS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ias) +- [ADMX_MMCSnapins/MMC_IASLogging](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iaslogging) +- [ADMX_MMCSnapins/MMC_IEMaintenance_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-1) +- [ADMX_MMCSnapins/MMC_IEMaintenance_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-2) +- [ADMX_MMCSnapins/MMC_IGMPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-igmprouting) +- [ADMX_MMCSnapins/MMC_IIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iis) +- [ADMX_MMCSnapins/MMC_IPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iprouting) +- [ADMX_MMCSnapins/MMC_IPSecManage_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage-gp) +- [ADMX_MMCSnapins/MMC_IPXRIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxriprouting) +- [ADMX_MMCSnapins/MMC_IPXRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxrouting) +- [ADMX_MMCSnapins/MMC_IPXSAPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxsaprouting) +- [ADMX_MMCSnapins/MMC_IndexingService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-indexingservice) +- [ADMX_MMCSnapins/MMC_IpSecManage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage) +- [ADMX_MMCSnapins/MMC_IpSecMonitor](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmonitor) +- [ADMX_MMCSnapins/MMC_LocalUsersGroups](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-localusersgroups) +- [ADMX_MMCSnapins/MMC_LogicalMappedDrives](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-logicalmappeddrives) +- [ADMX_MMCSnapins/MMC_NPSUI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-npsui) +- [ADMX_MMCSnapins/MMC_NapSnap](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap) +- [ADMX_MMCSnapins/MMC_NapSnap_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap-gp) +- [ADMX_MMCSnapins/MMC_Net_Framework](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-net-framework) +- [ADMX_MMCSnapins/MMC_OCSP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ocsp) +- [ADMX_MMCSnapins/MMC_OSPFRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ospfrouting) +- [ADMX_MMCSnapins/MMC_PerfLogsAlerts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-perflogsalerts) +- [ADMX_MMCSnapins/MMC_PublicKey](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-publickey) +- [ADMX_MMCSnapins/MMC_QoSAdmission](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-qosadmission) +- [ADMX_MMCSnapins/MMC_RAS_DialinUser](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ras-dialinuser) +- [ADMX_MMCSnapins/MMC_RIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-riprouting) +- [ADMX_MMCSnapins/MMC_RIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ris) +- [ADMX_MMCSnapins/MMC_RRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rra) +- [ADMX_MMCSnapins/MMC_RSM](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rsm) +- [ADMX_MMCSnapins/MMC_RemStore](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remstore) +- [ADMX_MMCSnapins/MMC_RemoteAccess](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remoteaccess) +- [ADMX_MMCSnapins/MMC_RemoteDesktop](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remotedesktop) +- [ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-resultantsetofpolicysnapin) +- [ADMX_MMCSnapins/MMC_Routing](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-routing) +- [ADMX_MMCSnapins/MMC_SCA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sca) +- [ADMX_MMCSnapins/MMC_SMTPProtocol](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-smtpprotocol) +- [ADMX_MMCSnapins/MMC_SNMP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-snmp) +- [ADMX_MMCSnapins/MMC_ScriptsMachine_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-1) +- [ADMX_MMCSnapins/MMC_ScriptsMachine_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-2) +- [ADMX_MMCSnapins/MMC_ScriptsUser_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-1) +- [ADMX_MMCSnapins/MMC_ScriptsUser_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-2) +- [ADMX_MMCSnapins/MMC_SecuritySettings_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-1) +- [ADMX_MMCSnapins/MMC_SecuritySettings_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-2) +- [ADMX_MMCSnapins/MMC_SecurityTemplates](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitytemplates) +- [ADMX_MMCSnapins/MMC_SendConsoleMessage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sendconsolemessage) +- [ADMX_MMCSnapins/MMC_ServerManager](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servermanager) +- [ADMX_MMCSnapins/MMC_ServiceDependencies](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servicedependencies) +- [ADMX_MMCSnapins/MMC_Services](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-services) +- [ADMX_MMCSnapins/MMC_SharedFolders](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders) +- [ADMX_MMCSnapins/MMC_SharedFolders_Ext](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders-ext) +- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-1) +- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-2) +- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-1) +- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-2) +- [ADMX_MMCSnapins/MMC_SysInfo](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysinfo) +- [ADMX_MMCSnapins/MMC_SysProp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysprop) +- [ADMX_MMCSnapins/MMC_TPMManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-tpmmanagement) +- [ADMX_MMCSnapins/MMC_Telephony](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-telephony) +- [ADMX_MMCSnapins/MMC_TerminalServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-terminalservices) +- [ADMX_MMCSnapins/MMC_WMI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wmi) +- [ADMX_MMCSnapins/MMC_WindowsFirewall](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall) +- [ADMX_MMCSnapins/MMC_WindowsFirewall_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall-gp) +- [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy) +- [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon) +- [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy) - [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth) - [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources) - [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands) @@ -172,6 +294,33 @@ ms.date: 10/08/2020 - [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode) - [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite) - [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns) +- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents) +- [ADMX_NetworkConnections/NC_AdvancedSettings](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings) +- [ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig) +- [ADMX_NetworkConnections/NC_ChangeBindState](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate) +- [ADMX_NetworkConnections/NC_DeleteAllUserConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deletealluserconnection) +- [ADMX_NetworkConnections/NC_DeleteConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deleteconnection) +- [ADMX_NetworkConnections/NC_DialupPrefs](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-dialupprefs) +- [ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-donotshowlocalonlyicon) +- [ADMX_NetworkConnections/NC_EnableAdminProhibits](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-enableadminprohibits) +- [ADMX_NetworkConnections/NC_ForceTunneling](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-forcetunneling) +- [ADMX_NetworkConnections/NC_IpStateChecking](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-ipstatechecking) +- [ADMX_NetworkConnections/NC_LanChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanchangeproperties) +- [ADMX_NetworkConnections/NC_LanConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanconnect) +- [ADMX_NetworkConnections/NC_LanProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanproperties) +- [ADMX_NetworkConnections/NC_NewConnectionWizard](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-newconnectionwizard) +- [ADMX_NetworkConnections/NC_PersonalFirewallConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-personalfirewallconfig) +- [ADMX_NetworkConnections/NC_RasAllUserProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasalluserproperties) +- [ADMX_NetworkConnections/NC_RasChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-raschangeproperties) +- [ADMX_NetworkConnections/NC_RasConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasconnect) +- [ADMX_NetworkConnections/NC_RasMyProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasmyproperties) +- [ADMX_NetworkConnections/NC_RenameAllUserRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamealluserrasconnection) +- [ADMX_NetworkConnections/NC_RenameConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renameconnection) +- [ADMX_NetworkConnections/NC_RenameLanConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamelanconnection) +- [ADMX_NetworkConnections/NC_RenameMyRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamemyrasconnection) +- [ADMX_NetworkConnections/NC_ShowSharedAccessUI](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-showsharedaccessui) +- [ADMX_NetworkConnections/NC_Statistics](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-statistics) +- [ADMX_NetworkConnections/NC_StdDomainUserSetLocation](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-stddomainusersetlocation) - [ADMX_OfflineFiles/Pol_AlwaysPinSubFolders](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders) - [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1) - [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2) @@ -231,6 +380,10 @@ ms.date: 10/08/2020 - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4) +- [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging) +- [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) +- [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) +- [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) @@ -251,6 +404,11 @@ ms.date: 10/08/2020 - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) +- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) +- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) +- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) +- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) +- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots) - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders) @@ -278,6 +436,95 @@ ms.date: 10/08/2020 - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) +- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) +- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) +- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) +- [ADMX_StartMenu/ClearTilesOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-cleartilesonexit) +- [ADMX_StartMenu/DesktopAppsFirstInAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-desktopappsfirstinappsview) +- [ADMX_StartMenu/DisableGlobalSearchOnAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-disableglobalsearchonappsview) +- [ADMX_StartMenu/ForceStartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-forcestartmenulogoff) +- [ADMX_StartMenu/GoToDesktopOnSignIn](./policy-csp-admx-startmenu.md#admx-startmenu-gotodesktoponsignin) +- [ADMX_StartMenu/GreyMSIAds](./policy-csp-admx-startmenu.md#admx-startmenu-greymsiads) +- [ADMX_StartMenu/HidePowerOptions](./policy-csp-admx-startmenu.md#admx-startmenu-hidepoweroptions) +- [ADMX_StartMenu/Intellimenus](./policy-csp-admx-startmenu.md#admx-startmenu-intellimenus) +- [ADMX_StartMenu/LockTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-locktaskbar) +- [ADMX_StartMenu/MemCheckBoxInRunDlg](./policy-csp-admx-startmenu.md#admx-startmenu-memcheckboxinrundlg) +- [ADMX_StartMenu/NoAutoTrayNotify](./policy-csp-admx-startmenu.md#admx-startmenu-noautotraynotify) +- [ADMX_StartMenu/NoBalloonTip](./policy-csp-admx-startmenu.md#admx-startmenu-noballoontip) +- [ADMX_StartMenu/NoChangeStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nochangestartmenu) +- [ADMX_StartMenu/NoClose](./policy-csp-admx-startmenu.md#admx-startmenu-noclose) +- [ADMX_StartMenu/NoCommonGroups](./policy-csp-admx-startmenu.md#admx-startmenu-nocommongroups) +- [ADMX_StartMenu/NoFavoritesMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nofavoritesmenu) +- [ADMX_StartMenu/NoFind](./policy-csp-admx-startmenu.md#admx-startmenu-nofind) +- [ADMX_StartMenu/NoGamesFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nogamesfolderonstartmenu) +- [ADMX_StartMenu/NoHelp](./policy-csp-admx-startmenu.md#admx-startmenu-nohelp) +- [ADMX_StartMenu/NoInstrumentation](./policy-csp-admx-startmenu.md#admx-startmenu-noinstrumentation) +- [ADMX_StartMenu/NoMoreProgramsList](./policy-csp-admx-startmenu.md#admx-startmenu-nomoreprogramslist) +- [ADMX_StartMenu/NoNetAndDialupConnect](./policy-csp-admx-startmenu.md#admx-startmenu-nonetanddialupconnect) +- [ADMX_StartMenu/NoPinnedPrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nopinnedprograms) +- [ADMX_StartMenu/NoRecentDocsMenu](./policy-csp-admx-startmenu.md#admx-startmenu-norecentdocsmenu) +- [ADMX_StartMenu/NoResolveSearch](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvesearch) +- [ADMX_StartMenu/NoResolveTrack](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvetrack) +- [ADMX_StartMenu/NoRun](./policy-csp-admx-startmenu.md#admx-startmenu-norun) +- [ADMX_StartMenu/NoSMConfigurePrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nosmconfigureprograms) +- [ADMX_StartMenu/NoSMMyDocuments](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmydocuments) +- [ADMX_StartMenu/NoSMMyMusic](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmymusic) +- [ADMX_StartMenu/NoSMMyNetworkPlaces](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmynetworkplaces) +- [ADMX_StartMenu/NoSMMyPictures](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmypictures) +- [ADMX_StartMenu/NoSearchCommInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomminstartmenu) +- [ADMX_StartMenu/NoSearchComputerLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomputerlinkinstartmenu) +- [ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearcheverywherelinkinstartmenu) +- [ADMX_StartMenu/NoSearchFilesInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchfilesinstartmenu) +- [ADMX_StartMenu/NoSearchInternetInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchinternetinstartmenu) +- [ADMX_StartMenu/NoSearchProgramsInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchprogramsinstartmenu) +- [ADMX_StartMenu/NoSetFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nosetfolders) +- [ADMX_StartMenu/NoSetTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-nosettaskbar) +- [ADMX_StartMenu/NoStartMenuDownload](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenudownload) +- [ADMX_StartMenu/NoStartMenuHomegroup](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuhomegroup) +- [ADMX_StartMenu/NoStartMenuRecordedTV](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenurecordedtv) +- [ADMX_StartMenu/NoStartMenuSubFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenusubfolders) +- [ADMX_StartMenu/NoStartMenuVideos](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuvideos) +- [ADMX_StartMenu/NoStartPage](./policy-csp-admx-startmenu.md#admx-startmenu-nostartpage) +- [ADMX_StartMenu/NoTaskBarClock](./policy-csp-admx-startmenu.md#admx-startmenu-notaskbarclock) +- [ADMX_StartMenu/NoTaskGrouping](./policy-csp-admx-startmenu.md#admx-startmenu-notaskgrouping) +- [ADMX_StartMenu/NoToolbarsOnTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-notoolbarsontaskbar) +- [ADMX_StartMenu/NoTrayContextMenu](./policy-csp-admx-startmenu.md#admx-startmenu-notraycontextmenu) +- [ADMX_StartMenu/NoTrayItemsDisplay](./policy-csp-admx-startmenu.md#admx-startmenu-notrayitemsdisplay) +- [ADMX_StartMenu/NoUninstallFromStart](./policy-csp-admx-startmenu.md#admx-startmenu-nouninstallfromstart) +- [ADMX_StartMenu/NoUserFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nouserfolderonstartmenu) +- [ADMX_StartMenu/NoUserNameOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nousernameonstartmenu) +- [ADMX_StartMenu/NoWindowsUpdate](./policy-csp-admx-startmenu.md#admx-startmenu-nowindowsupdate) +- [ADMX_StartMenu/PowerButtonAction](./policy-csp-admx-startmenu.md#admx-startmenu-powerbuttonaction) +- [ADMX_StartMenu/QuickLaunchEnabled](./policy-csp-admx-startmenu.md#admx-startmenu-quicklaunchenabled) +- [ADMX_StartMenu/RemoveUnDockPCButton](./policy-csp-admx-startmenu.md#admx-startmenu-removeundockpcbutton) +- [ADMX_StartMenu/ShowAppsViewOnStart](./policy-csp-admx-startmenu.md#admx-startmenu-showappsviewonstart) +- [ADMX_StartMenu/ShowRunAsDifferentUserInStart](./policy-csp-admx-startmenu.md#admx-startmenu-showrunasdifferentuserinstart) +- [ADMX_StartMenu/ShowRunInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-showruninstartmenu) +- [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) +- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) +- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) +- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) +- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) +- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) +- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md#admx-taskbar-hidescanetwork) +- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md#admx-taskbar-hidescapower) +- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md#admx-taskbar-hidescavolume) +- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md#admx-taskbar-noballoonfeatureadvertisements) +- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningstoretotaskbar) +- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtodestinations) +- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtotaskbar) +- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-noremotedestinations) +- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md#admx-taskbar-nosystraysystempromotion) +- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-showwindowsstoreappsontaskbar) +- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarlockall) +- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoaddremovetoolbar) +- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnodragtoolbar) +- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnomultimon) +- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnonotification) +- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnopinnedlist) +- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoredock) +- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoresize) +- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnothumbnail) - [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name) - [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval) - [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state) @@ -434,12 +681,86 @@ ms.date: 10/08/2020 - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpserver) +- [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement) +- [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect) +- [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections) - [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1) - [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2) - [ADMX_WindowsAnytimeUpgrade/Disabled](./policy-csp-admx-windowsanytimeupgrade.md#admx-windowsanytimeupgrade-disabled) - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1) - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2) - [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar) +- [ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-checksamesourceandtargetforfranddfs) +- [ADMX_WindowsExplorer/ClassicShell](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-classicshell) +- [ADMX_WindowsExplorer/ConfirmFileDelete](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-confirmfiledelete) +- [ADMX_WindowsExplorer/DefaultLibrariesLocation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-defaultlibrarieslocation) +- [ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablebinddirectlytopropertysetstorage) +- [ADMX_WindowsExplorer/DisableIndexedLibraryExperience](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableindexedlibraryexperience) +- [ADMX_WindowsExplorer/DisableKnownFolders](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableknownfolders) +- [ADMX_WindowsExplorer/DisableSearchBoxSuggestions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablesearchboxsuggestions) +- [ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enableshellshortcuticonremotepath) +- [ADMX_WindowsExplorer/EnableSmartScreen](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enablesmartscreen) +- [ADMX_WindowsExplorer/EnforceShellExtensionSecurity](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enforceshellextensionsecurity) +- [ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-explorerribbonstartsminimized) +- [ADMX_WindowsExplorer/HideContentViewModeSnippets](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-hidecontentviewmodesnippets) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachine) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restricted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trusted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachine) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restricted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trusted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown) +- [ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-linkresolveignorelinkinfo) +- [ADMX_WindowsExplorer/MaxRecentDocs](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-maxrecentdocs) +- [ADMX_WindowsExplorer/NoBackButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nobackbutton) +- [ADMX_WindowsExplorer/NoCDBurning](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocdburning) +- [ADMX_WindowsExplorer/NoCacheThumbNailPictures](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocachethumbnailpictures) +- [ADMX_WindowsExplorer/NoChangeAnimation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangeanimation) +- [ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangekeyboardnavigationindicators) +- [ADMX_WindowsExplorer/NoDFSTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodfstab) +- [ADMX_WindowsExplorer/NoDrives](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodrives) +- [ADMX_WindowsExplorer/NoEntireNetwork](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noentirenetwork) +- [ADMX_WindowsExplorer/NoFileMRU](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemru) +- [ADMX_WindowsExplorer/NoFileMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemenu) +- [ADMX_WindowsExplorer/NoFolderOptions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofolderoptions) +- [ADMX_WindowsExplorer/NoHardwareTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nohardwaretab) +- [ADMX_WindowsExplorer/NoManageMyComputerVerb](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomanagemycomputerverb) +- [ADMX_WindowsExplorer/NoMyComputerSharedDocuments](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomycomputershareddocuments) +- [ADMX_WindowsExplorer/NoNetConnectDisconnect](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonetconnectdisconnect) +- [ADMX_WindowsExplorer/NoNewAppAlert](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonewappalert) +- [ADMX_WindowsExplorer/NoPlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noplacesbar) +- [ADMX_WindowsExplorer/NoRecycleFiles](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norecyclefiles) +- [ADMX_WindowsExplorer/NoRunAsInstallPrompt](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norunasinstallprompt) +- [ADMX_WindowsExplorer/NoSearchInternetTryHarderButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosearchinternettryharderbutton) +- [ADMX_WindowsExplorer/NoSecurityTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosecuritytab) +- [ADMX_WindowsExplorer/NoShellSearchButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noshellsearchbutton) +- [ADMX_WindowsExplorer/NoStrCmpLogical](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nostrcmplogical) +- [ADMX_WindowsExplorer/NoViewContextMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewcontextmenu) +- [ADMX_WindowsExplorer/NoViewOnDrive](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewondrive) +- [ADMX_WindowsExplorer/NoWindowsHotKeys](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nowindowshotkeys) +- [ADMX_WindowsExplorer/NoWorkgroupContents](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noworkgroupcontents) +- [ADMX_WindowsExplorer/PlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-placesbar) +- [ADMX_WindowsExplorer/PromptRunasInstallNetPath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-promptrunasinstallnetpath) +- [ADMX_WindowsExplorer/RecycleBinSize](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-recyclebinsize) +- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-1) +- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-2) +- [ADMX_WindowsExplorer/ShowHibernateOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showhibernateoption) +- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption) +- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary) +- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch) - [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline) - [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings) - [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings) @@ -462,9 +783,17 @@ ms.date: 10/08/2020 - [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut) - [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown) - [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols) +- [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8) +- [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1) +- [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2) +- [ADMX_WindowsStore/RemoveWindowsStore_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-1) +- [ADMX_WindowsStore/RemoveWindowsStore_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-2) - [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) - [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) - [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) +- [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) +- [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) +- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) - [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) - [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) - [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 739826c640..bd4bcafd21 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -50,17 +50,17 @@ ms.date: 10/08/2020 - [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) - [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) -- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) -- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) -- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) -- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) -- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 +- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 +- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 +- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 +- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) 9 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) 9 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) @@ -83,20 +83,22 @@ ms.date: 10/08/2020 - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 - [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 +- [RemoteLock/Lock](https://docs.microsoft.com/windows/client-management/mdm/remotelock-csp) 9 - [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) +- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) 9 +- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) 9 - [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Settings/PageVisibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) +- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) 9 +- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) 9 +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) 9 +- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9 - [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) - [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) - [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) @@ -122,6 +124,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) ## Related topics diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 475eff78fd..a1a8db3a83 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -245,6 +245,76 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_Bits policies + +
+
+ ADMX_Bits/BITS_DisableBranchCache +
+
+ ADMX_Bits/BITS_DisablePeercachingClient +
+
+ ADMX_Bits/BITS_DisablePeercachingServer +
+
+ ADMX_Bits/BITS_EnablePeercaching +
+
+ ADMX_Bits/BITS_MaxBandwidthServedForPeers +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Maintenance +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Work +
+
+ ADMX_Bits/BITS_MaxCacheSize +
+
+ ADMX_Bits/BITS_MaxContentAge +
+
+ ADMX_Bits/BITS_MaxDownloadTime +
+
+ ADMX_Bits/BITS_MaxFilesPerJob +
+
+ ADMX_Bits/BITS_MaxJobsPerMachine +
+
+ ADMX_Bits/BITS_MaxJobsPerUser +
+
+ ADMX_Bits/BITS_MaxRangesPerFile +
+
+ +### ADMX_CipherSuiteOrder policies + +
+
+ ADMX_CipherSuiteOrder/SSLCipherSuiteOrder +
+
+ ADMX_CipherSuiteOrder/SSLCurveOrder +
+
+ +### ADMX_COM policies + +
+
+ ADMX_COM/AppMgmt_COM_SearchForCLSID_1 +
+
+ ADMX_COM/AppMgmt_COM_SearchForCLSID_2 +
+
+ + ### ADMX_Cpls policies
@@ -551,6 +621,323 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_MMCSnapins policies + +
+
+ ADMX_MMCSnapins/MMC_ADMComputers_1 +
+
+ ADMX_MMCSnapins/MMC_ADMComputers_2 +
+
+ ADMX_MMCSnapins/MMC_ADMUsers_1 +
+
+ ADMX_MMCSnapins/MMC_ADMUsers_2 +
+
+ ADMX_MMCSnapins/MMC_ADSI +
+
+ ADMX_MMCSnapins/MMC_ActiveDirDomTrusts +
+
+ ADMX_MMCSnapins/MMC_ActiveDirSitesServices +
+
+ ADMX_MMCSnapins/MMC_ActiveDirUsersComp +
+
+ ADMX_MMCSnapins/MMC_AppleTalkRouting +
+
+ ADMX_MMCSnapins/MMC_AuthMan +
+
+ ADMX_MMCSnapins/MMC_CertAuth +
+
+ ADMX_MMCSnapins/MMC_CertAuthPolSet +
+
+ ADMX_MMCSnapins/MMC_Certs +
+
+ ADMX_MMCSnapins/MMC_CertsTemplate +
+
+ ADMX_MMCSnapins/MMC_ComponentServices +
+
+ ADMX_MMCSnapins/MMC_ComputerManagement +
+
+ ADMX_MMCSnapins/MMC_ConnectionSharingNAT +
+
+ ADMX_MMCSnapins/MMC_DCOMCFG +
+
+ ADMX_MMCSnapins/MMC_DFS +
+
+ ADMX_MMCSnapins/MMC_DHCPRelayMgmt +
+
+ ADMX_MMCSnapins/MMC_DeviceManager_1 +
+
+ ADMX_MMCSnapins/MMC_DeviceManager_2 +
+
+ ADMX_MMCSnapins/MMC_DiskDefrag +
+
+ ADMX_MMCSnapins/MMC_DiskMgmt +
+
+ ADMX_MMCSnapins/MMC_EnterprisePKI +
+
+ ADMX_MMCSnapins/MMC_EventViewer_1 +
+
+ ADMX_MMCSnapins/MMC_EventViewer_2 +
+
+ ADMX_MMCSnapins/MMC_EventViewer_3 +
+
+ ADMX_MMCSnapins/MMC_EventViewer_4 +
+
+ ADMX_MMCSnapins/MMC_FAXService +
+
+ ADMX_MMCSnapins/MMC_FailoverClusters +
+
+ ADMX_MMCSnapins/MMC_FolderRedirection_1 +
+
+ ADMX_MMCSnapins/MMC_FolderRedirection_2 +
+
+ ADMX_MMCSnapins/MMC_FrontPageExt +
+
+ ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn +
+
+ ADMX_MMCSnapins/MMC_GroupPolicySnapIn +
+
+ ADMX_MMCSnapins/MMC_GroupPolicyTab +
+
+ ADMX_MMCSnapins/MMC_HRA +
+
+ ADMX_MMCSnapins/MMC_IAS +
+
+ ADMX_MMCSnapins/MMC_IASLogging +
+
+ ADMX_MMCSnapins/MMC_IEMaintenance_1 +
+
+ ADMX_MMCSnapins/MMC_IEMaintenance_2 +
+
+ ADMX_MMCSnapins/MMC_IGMPRouting +
+
+ ADMX_MMCSnapins/MMC_IIS +
+
+ ADMX_MMCSnapins/MMC_IPRouting +
+
+ ADMX_MMCSnapins/MMC_IPSecManage_GP +
+
+ ADMX_MMCSnapins/MMC_IPXRIPRouting +
+
+ ADMX_MMCSnapins/MMC_IPXRouting +
+
+ ADMX_MMCSnapins/MMC_IPXSAPRouting +
+
+ ADMX_MMCSnapins/MMC_IndexingService +
+
+ ADMX_MMCSnapins/MMC_IpSecManage +
+
+ ADMX_MMCSnapins/MMC_IpSecMonitor +
+
+ ADMX_MMCSnapins/MMC_LocalUsersGroups +
+
+ ADMX_MMCSnapins/MMC_LogicalMappedDrives +
+
+ ADMX_MMCSnapins/MMC_NPSUI +
+
+ ADMX_MMCSnapins/MMC_NapSnap +
+
+ ADMX_MMCSnapins/MMC_NapSnap_GP +
+
+ ADMX_MMCSnapins/MMC_Net_Framework +
+
+ ADMX_MMCSnapins/MMC_OCSP +
+
+ ADMX_MMCSnapins/MMC_OSPFRouting +
+
+ ADMX_MMCSnapins/MMC_PerfLogsAlerts +
+
+ ADMX_MMCSnapins/MMC_PublicKey +
+
+ ADMX_MMCSnapins/MMC_QoSAdmission +
+
+ ADMX_MMCSnapins/MMC_RAS_DialinUser +
+
+ ADMX_MMCSnapins/MMC_RIPRouting +
+
+ ADMX_MMCSnapins/MMC_RIS +
+
+ ADMX_MMCSnapins/MMC_RRA +
+
+ ADMX_MMCSnapins/MMC_RSM +
+
+ ADMX_MMCSnapins/MMC_RemStore +
+
+ ADMX_MMCSnapins/MMC_RemoteAccess +
+
+ ADMX_MMCSnapins/MMC_RemoteDesktop +
+
+ ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn +
+
+ ADMX_MMCSnapins/MMC_Routing +
+
+ ADMX_MMCSnapins/MMC_SCA +
+
+ ADMX_MMCSnapins/MMC_SMTPProtocol +
+
+ ADMX_MMCSnapins/MMC_SNMP +
+
+ ADMX_MMCSnapins/MMC_ScriptsMachine_1 +
+
+ ADMX_MMCSnapins/MMC_ScriptsMachine_2 +
+
+ ADMX_MMCSnapins/MMC_ScriptsUser_1 +
+
+ ADMX_MMCSnapins/MMC_ScriptsUser_2 +
+
+ ADMX_MMCSnapins/MMC_SecuritySettings_1 +
+
+ ADMX_MMCSnapins/MMC_SecuritySettings_2 +
+
+ ADMX_MMCSnapins/MMC_SecurityTemplates +
+
+ ADMX_MMCSnapins/MMC_SendConsoleMessage +
+
+ ADMX_MMCSnapins/MMC_ServerManager +
+
+ ADMX_MMCSnapins/MMC_ServiceDependencies +
+
+ ADMX_MMCSnapins/MMC_Services +
+
+ ADMX_MMCSnapins/MMC_SharedFolders +
+
+ ADMX_MMCSnapins/MMC_SharedFolders_Ext +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 +
+
+ ADMX_MMCSnapins/MMC_SysInfo +
+
+ ADMX_MMCSnapins/MMC_SysProp +
+
+ ADMX_MMCSnapins/MMC_TPMManagement +
+
+ ADMX_MMCSnapins/MMC_Telephony +
+
+ ADMX_MMCSnapins/MMC_TerminalServices +
+
+ ADMX_MMCSnapins/MMC_WMI +
+
+ ADMX_MMCSnapins/MMC_WindowsFirewall +
+
+ ADMX_MMCSnapins/MMC_WindowsFirewall_GP +
+
+ ADMX_MMCSnapins/MMC_WiredNetworkPolicy +
+
+ ADMX_MMCSnapins/MMC_WirelessMon +
+
+ ADMX_MMCSnapins/MMC_WirelessNetworkPolicy +
+
+ ### ADMX_MSAPolicy policies
@@ -721,6 +1108,92 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_NetworkConnections policies + +
+
+ ADMX_NetworkConnections/NC_AddRemoveComponents +
+
+ ADMX_NetworkConnections/NC_AdvancedSettings +
+
+ ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig +
+
+ ADMX_NetworkConnections/NC_ChangeBindState +
+
+ ADMX_NetworkConnections/NC_DeleteAllUserConnection +
+
+ ADMX_NetworkConnections/NC_DeleteConnection +
+
+ ADMX_NetworkConnections/NC_DialupPrefs +
+
+ ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon +
+
+ ADMX_NetworkConnections/NC_EnableAdminProhibits +
+
+ ADMX_NetworkConnections/NC_ForceTunneling +
+
+ ADMX_NetworkConnections/NC_IpStateChecking +
+
+ ADMX_NetworkConnections/NC_LanChangeProperties +
+
+ ADMX_NetworkConnections/NC_LanConnect +
+
+ ADMX_NetworkConnections/NC_LanProperties +
+
+ ADMX_NetworkConnections/NC_NewConnectionWizard +
+
+ ADMX_NetworkConnections/NC_PersonalFirewallConfig +
+
+ ADMX_NetworkConnections/NC_RasAllUserProperties +
+
+ ADMX_NetworkConnections/NC_RasChangeProperties +
+
+ ADMX_NetworkConnections/NC_RasConnect +
+
+ ADMX_NetworkConnections/NC_RasMyProperties +
+
+ ADMX_NetworkConnections/NC_RenameAllUserRasConnection +
+
+ ADMX_NetworkConnections/NC_RenameConnection +
+
+ ADMX_NetworkConnections/NC_RenameLanConnection +
+
+ ADMX_NetworkConnections/NC_RenameMyRasConnection +
+
+ ADMX_NetworkConnections/NC_ShowSharedAccessUI +
+
+ ADMX_NetworkConnections/NC_Statistics +
+
+ ADMX_NetworkConnections/NC_StdDomainUserSetLocation +
+
+ ### ADMX_OfflineFiles policies
@@ -912,6 +1385,23 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_PowerShellExecutionPolicy policies + +
+
+ ADMX_PowerShellExecutionPolicy/EnableModuleLogging +
+
+ ADMX_PowerShellExecutionPolicy/EnableScripts +
+
+ ADMX_PowerShellExecutionPolicy/EnableTranscripting +
+
+ ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +
+
+ ### ADMX_Reliability policies
@@ -992,6 +1482,26 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_Sensors policies + +
+
+ ADMX_Sensors/DisableLocationScripting_1 +
+
+ ADMX_Sensors/DisableLocationScripting_2 +
+
+ ADMX_Sensors/DisableLocation_1 +
+
+ ADMX_Sensors/DisableSensors_1 +
+
+ ADMX_Sensors/DisableSensors_2 +
+
+ ### ADMX_Servicing policies
@@ -1019,7 +1529,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-### ADMX_ShellCommandPromptRegEditTools policies +## ADMX_ShellCommandPromptRegEditTools policies
@@ -1089,7 +1599,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_Snmp policies +### ADMX_Snmp policies
@@ -1103,7 +1613,284 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_tcpip policies +### ADMX_StartMenu policies + +
+
+ ADMX_StartMenu/AddSearchInternetLinkInStartMenu +
+
+ ADMX_StartMenu/ClearRecentDocsOnExit +
+
+ ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu +
+
+ ADMX_StartMenu/ClearTilesOnExit +
+
+ ADMX_StartMenu/DesktopAppsFirstInAppsView +
+
+ ADMX_StartMenu/DisableGlobalSearchOnAppsView +
+
+ ADMX_StartMenu/ForceStartMenuLogOff +
+
+ ADMX_StartMenu/GoToDesktopOnSignIn +
+
+ ADMX_StartMenu/GreyMSIAds +
+
+ ADMX_StartMenu/HidePowerOptions +
+
+ ADMX_StartMenu/Intellimenus +
+
+ ADMX_StartMenu/LockTaskbar +
+
+ ADMX_StartMenu/MemCheckBoxInRunDlg +
+
+ ADMX_StartMenu/NoAutoTrayNotify +
+
+ ADMX_StartMenu/NoBalloonTip +
+
+ ADMX_StartMenu/NoChangeStartMenu +
+
+ ADMX_StartMenu/NoClose +
+
+ ADMX_StartMenu/NoCommonGroups +
+
+ ADMX_StartMenu/NoFavoritesMenu +
+
+ ADMX_StartMenu/NoFind +
+
+ ADMX_StartMenu/NoGamesFolderOnStartMenu +
+
+ ADMX_StartMenu/NoHelp +
+
+ ADMX_StartMenu/NoInstrumentation +
+
+ ADMX_StartMenu/NoMoreProgramsList +
+
+ ADMX_StartMenu/NoNetAndDialupConnect +
+
+ ADMX_StartMenu/NoPinnedPrograms +
+
+ ADMX_StartMenu/NoRecentDocsMenu +
+
+ ADMX_StartMenu/NoResolveSearch +
+
+ ADMX_StartMenu/NoResolveTrack +
+
+ ADMX_StartMenu/NoRun +
+
+ ADMX_StartMenu/NoSMConfigurePrograms +
+
+ ADMX_StartMenu/NoSMMyDocuments +
+
+ ADMX_StartMenu/NoSMMyMusic +
+
+ ADMX_StartMenu/NoSMMyNetworkPlaces +
+
+ ADMX_StartMenu/NoSMMyPictures +
+
+ ADMX_StartMenu/NoSearchCommInStartMenu +
+
+ ADMX_StartMenu/NoSearchComputerLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchFilesInStartMenu +
+
+ ADMX_StartMenu/NoSearchInternetInStartMenu +
+
+ ADMX_StartMenu/NoSearchProgramsInStartMenu +
+
+ ADMX_StartMenu/NoSetFolders +
+
+ ADMX_StartMenu/NoSetTaskbar +
+
+ ADMX_StartMenu/NoStartMenuDownload +
+
+ ADMX_StartMenu/NoStartMenuHomegroup +
+
+ ADMX_StartMenu/NoStartMenuRecordedTV +
+
+ ADMX_StartMenu/NoStartMenuSubFolders +
+
+ ADMX_StartMenu/NoStartMenuVideos +
+
+ ADMX_StartMenu/NoStartPage +
+
+ ADMX_StartMenu/NoTaskBarClock +
+
+ ADMX_StartMenu/NoTaskGrouping +
+
+ ADMX_StartMenu/NoToolbarsOnTaskbar +
+
+ ADMX_StartMenu/NoTrayContextMenu +
+
+ ADMX_StartMenu/NoTrayItemsDisplay +
+
+ ADMX_StartMenu/NoUninstallFromStart +
+
+ ADMX_StartMenu/NoUserFolderOnStartMenu +
+
+ ADMX_StartMenu/NoUserNameOnStartMenu +
+
+ ADMX_StartMenu/NoWindowsUpdate +
+
+ ADMX_StartMenu/PowerButtonAction +
+
+ ADMX_StartMenu/QuickLaunchEnabled +
+
+ ADMX_StartMenu/RemoveUnDockPCButton +
+
+ ADMX_StartMenu/ShowAppsViewOnStart +
+
+ ADMX_StartMenu/ShowRunAsDifferentUserInStart +
+
+ ADMX_StartMenu/ShowRunInStartMenu +
+
+ ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey +
+
+ ADMX_StartMenu/StartMenuLogOff +
+
+ ADMX_StartMenu/StartPinAppsWhenInstalled +
+
+ +### ADMX_Taskbar policies + +
+
+ ADMX_Taskbar/DisableNotificationCenter +
+
+ ADMX_Taskbar/EnableLegacyBalloonNotifications +
+
+ ADMX_Taskbar/HideSCAHealth +
+
+ ADMX_Taskbar/HideSCANetwork +
+
+ ADMX_Taskbar/HideSCAPower +
+
+ ADMX_Taskbar/HideSCAVolume +
+
+ ADMX_Taskbar/NoBalloonFeatureAdvertisements +
+
+ ADMX_Taskbar/NoPinningStoreToTaskbar +
+
+ ADMX_Taskbar/NoPinningToDestinations +
+
+ ADMX_Taskbar/NoPinningToTaskbar +
+
+ ADMX_Taskbar/NoRemoteDestinations +
+
+ ADMX_Taskbar/NoSystraySystemPromotion +
+
+ ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar +
+
+ ADMX_Taskbar/TaskbarLockAll +
+
+ ADMX_Taskbar/TaskbarNoAddRemoveToolbar +
+
+ ADMX_Taskbar/TaskbarNoDragToolbar +
+
+ ADMX_Taskbar/TaskbarNoMultimon +
+
+ ADMX_Taskbar/TaskbarNoNotification +
+
+ ADMX_Taskbar/TaskbarNoPinnedList +
+
+ ADMX_Taskbar/TaskbarNoRedock +
+
+ ADMX_Taskbar/TaskbarNoResize +
+
+ ADMX_Taskbar/TaskbarNoThumbnail +
+
+ +### ADMX_tcpip policies
@@ -1147,7 +1934,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_Thumbnails policies +### ADMX_Thumbnails policies
@@ -1596,6 +2383,20 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WCM policies + +
+
+ ADMX_WCM/WCM_DisablePowerManagement +
+
+ ADMX_WCM/WCM_EnableSoftDisconnect +
+
+ ADMX_WCM/WCM_MinimizeConnections +
+
+ ### ADMX_WinCal policies
@@ -1615,7 +2416,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_WindowsConnectNow policies +### ADMX_WindowsConnectNow policies
@@ -1629,6 +2430,225 @@ The following diagram shows the Policy configuration service provider in tree fo
+ +### ADMX_WindowsExplorer policies + +
+
+ ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS +
+
+ ADMX_WindowsExplorer/ClassicShell +
+
+ ADMX_WindowsExplorer/ConfirmFileDelete +
+
+ ADMX_WindowsExplorer/DefaultLibrariesLocation +
+
+ ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +
+
+ ADMX_WindowsExplorer/DisableIndexedLibraryExperience +
+
+ ADMX_WindowsExplorer/DisableKnownFolders +
+
+ ADMX_WindowsExplorer/DisableSearchBoxSuggestions +
+
+ ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath +
+
+ ADMX_WindowsExplorer/EnableSmartScreen +
+
+ ADMX_WindowsExplorer/EnforceShellExtensionSecurity +
+
+ ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +
+
+ ADMX_WindowsExplorer/HideContentViewModeSnippets +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +
+
+ ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo +
+
+ ADMX_WindowsExplorer/MaxRecentDocs +
+
+ ADMX_WindowsExplorer/NoBackButton +
+
+ ADMX_WindowsExplorer/NoCDBurning +
+
+ ADMX_WindowsExplorer/NoCacheThumbNailPictures +
+
+ ADMX_WindowsExplorer/NoChangeAnimation +
+
+ ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators +
+
+ ADMX_WindowsExplorer/NoDFSTab +
+
+ ADMX_WindowsExplorer/NoDrives +
+
+ ADMX_WindowsExplorer/NoEntireNetwork +
+
+ ADMX_WindowsExplorer/NoFileMRU +
+
+ ADMX_WindowsExplorer/NoFileMenu +
+
+ ADMX_WindowsExplorer/NoFolderOptions +
+
+ ADMX_WindowsExplorer/NoHardwareTab +
+
+ ADMX_WindowsExplorer/NoManageMyComputerVerb +
+
+ ADMX_WindowsExplorer/NoMyComputerSharedDocuments +
+
+ ADMX_WindowsExplorer/NoNetConnectDisconnect +
+
+ ADMX_WindowsExplorer/NoNewAppAlert +
+
+ ADMX_WindowsExplorer/NoPlacesBar +
+
+ ADMX_WindowsExplorer/NoRecycleFiles +
+
+ ADMX_WindowsExplorer/NoRunAsInstallPrompt +
+
+ ADMX_WindowsExplorer/NoSearchInternetTryHarderButton +
+
+ ADMX_WindowsExplorer/NoSecurityTab +
+
+ ADMX_WindowsExplorer/NoShellSearchButton +
+
+ ADMX_WindowsExplorer/NoStrCmpLogical +
+
+ ADMX_WindowsExplorer/NoViewContextMenu +
+
+ ADMX_WindowsExplorer/NoViewOnDrive +
+
+ ADMX_WindowsExplorer/NoWindowsHotKeys +
+
+ ADMX_WindowsExplorer/NoWorkgroupContents +
+
+ ADMX_WindowsExplorer/PlacesBar +
+
+ ADMX_WindowsExplorer/PromptRunasInstallNetPath +
+
+ ADMX_WindowsExplorer/RecycleBinSize +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 +
+
+ ADMX_WindowsExplorer/ShowHibernateOption +
+
+ ADMX_WindowsExplorer/ShowSleepOption +
+
+ ADMX_WindowsExplorer/TryHarderPinnedLibrary +
+
+ ADMX_WindowsExplorer/TryHarderPinnedOpenSearch +
+
+ ### ADMX_WindowsMediaDRM policies
@@ -1705,6 +2725,26 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WindowsStore policies + +
+
+ ADMX_WindowsStore/DisableAutoDownloadWin8 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_1 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_2 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_1 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_2 +
+
+ ### ADMX_WinInit policies
@@ -1719,6 +2759,20 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_wlansvc policies + +
+
+ ADMX_wlansvc/SetCost +
+
+ ADMX_wlansvc/SetPINEnforced +
+
+ ADMX_wlansvc/SetPINPreferred +
+
+ ### ApplicationDefaults policies
@@ -4104,6 +5158,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### Multitasking policies + +
+
+ Multitasking/BrowserAltTabBlowout +
+
+ ### NetworkIsolation policies
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md new file mode 100644 index 0000000000..b5f4b7b748 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -0,0 +1,1101 @@ +--- +title: Policy CSP - ADMX_Bits +description: Policy CSP - ADMX_Bits +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/20/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Bits +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Bits policies + +
+
+ ADMX_Bits/BITS_DisableBranchCache +
+
+ ADMX_Bits/BITS_DisablePeercachingClient +
+
+ ADMX_Bits/BITS_DisablePeercachingServer +
+
+ ADMX_Bits/BITS_EnablePeercaching +
+
+ ADMX_Bits/BITS_MaxBandwidthServedForPeers +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Maintenance +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Work +
+
+ ADMX_Bits/BITS_MaxCacheSize +
+
+ ADMX_Bits/BITS_MaxContentAge +
+
+ ADMX_Bits/BITS_MaxDownloadTime +
+
+ ADMX_Bits/BITS_MaxFilesPerJob +
+
+ ADMX_Bits/BITS_MaxJobsPerMachine +
+
+ ADMX_Bits/BITS_MaxJobsPerUser +
+
+ ADMX_Bits/BITS_MaxRangesPerFile +
+
+ + +
+ + +**ADMX_Bits/BITS_DisableBranchCache** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. + +If you enable this policy setting, the BITS client does not use Windows Branch Cache. + +If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. + +> [!NOTE] +> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow the BITS client to use Windows Branch Cache* +- GP name: *BITS_DisableBranchCache* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_DisablePeercachingClient** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). + +If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. + +If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. + +> [!NOTE] +> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow the computer to act as a BITS Peercaching client* +- GP name: *BITS_DisablePeercachingClient* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_DisablePeercachingServer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). + +If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. + +If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. + +> [!NOTE] +> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow the computer to act as a BITS Peercaching server* +- GP name: *BITS_DisablePeercachingServer* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_EnablePeercaching** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. + +If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. + +If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. + +If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow BITS Peercaching* +- GP name: *BITS_EnablePeercaching* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_MaxBandwidthServedForPeers** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). + +To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. + +You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. + +If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. + +If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. + +> [!NOTE] +> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth used for Peercaching* +- GP name: *BITS_MaxBandwidthServedForPeers* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxBandwidthV2_Maintenance** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. + +If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. + +You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. + +If you disable or do not configure this policy setting, the limits defined for work or non-work schedules will be used. + +> [!NOTE] +> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers* +- GP name: *BITS_MaxBandwidthV2_Maintenance* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_MaxBandwidthV2_Work** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. + +If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. + +You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers* +- GP name: *BITS_MaxBandwidthV2_Work* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_MaxCacheSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. + +If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. + +If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. + +> [!NOTE] +> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the BITS Peercache size* +- GP name: *BITS_MaxCacheSize* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxContentAge** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days. + +If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. + +If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. + +> [!NOTE] +> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the age of files in the BITS Peercache* +- GP name: *BITS_MaxContentAge* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxDownloadTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. + +The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. + +By default BITS uses a maximum download time of 90 days (7,776,000 seconds). + +If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. + +If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum BITS job download time* +- GP name: *BITS_MaxDownloadTime* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxFilesPerJob** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. + +If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. + +If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. + +> [!NOTE] +> BITS Jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of files allowed in a BITS job* +- GP name: *BITS_MaxFilesPerJob* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxJobsPerMachine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. + +If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. + +If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. + +> [!NOTE] +> BITS jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of BITS jobs for this computer* +- GP name: *BITS_MaxJobsPerMachine* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxJobsPerUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. + +If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. + +If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. + +> [!NOTE] +> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of BITS jobs for each user* +- GP name: *BITS_MaxJobsPerUser* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxRangesPerFile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. + +If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. + +If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. + +> [!NOTE] +> BITS Jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of ranges that can be added to the file in a BITS job* +- GP name: *BITS_MaxRangesPerFile* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md new file mode 100644 index 0000000000..b2d54403e7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -0,0 +1,2199 @@ +--- +title: Policy CSP - ADMX_NetworkConnections +description: Policy CSP - ADMX_NetworkConnections +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/21/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_NetworkConnections + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_NetworkConnections policies + +
+
+ ADMX_NetworkConnections/NC_AddRemoveComponents +
+
+ ADMX_NetworkConnections/NC_AdvancedSettings +
+
+ ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig +
+
+ ADMX_NetworkConnections/NC_ChangeBindState +
+
+ ADMX_NetworkConnections/NC_DeleteAllUserConnection +
+
+ ADMX_NetworkConnections/NC_DeleteConnection +
+
+ ADMX_NetworkConnections/NC_DialupPrefs +
+
+ ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon +
+
+ ADMX_NetworkConnections/NC_EnableAdminProhibits +
+
+ ADMX_NetworkConnections/NC_ForceTunneling +
+
+ ADMX_NetworkConnections/NC_IpStateChecking +
+
+ ADMX_NetworkConnections/NC_LanChangeProperties +
+
+ ADMX_NetworkConnections/NC_LanConnect +
+
+ ADMX_NetworkConnections/NC_LanProperties +
+
+ ADMX_NetworkConnections/NC_NewConnectionWizard +
+
+ ADMX_NetworkConnections/NC_PersonalFirewallConfig +
+
+ ADMX_NetworkConnections/NC_RasAllUserProperties +
+
+ ADMX_NetworkConnections/NC_RasChangeProperties +
+
+ ADMX_NetworkConnections/NC_RasConnect +
+
+ ADMX_NetworkConnections/NC_RasMyProperties +
+
+ ADMX_NetworkConnections/NC_RenameAllUserRasConnection +
+
+ ADMX_NetworkConnections/NC_RenameConnection +
+
+ ADMX_NetworkConnections/NC_RenameLanConnection +
+
+ ADMX_NetworkConnections/NC_RenameMyRasConnection +
+
+ ADMX_NetworkConnections/NC_ShowSharedAccessUI +
+
+ ADMX_NetworkConnections/NC_Statistics +
+
+ ADMX_NetworkConnections/NC_StdDomainUserSetLocation +
+
+ + +
+ + +**ADMX_NetworkConnections/NC_AddRemoveComponents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. + +The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button). + +The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections. + +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked. +> +> Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adding and removing components for a LAN or remote access connection* +- GP name: *NC_AddRemoveComponents* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_AdvancedSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. + +The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators. + +> [!NOTE] +> Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to the Advanced Settings item on the Advanced menu* +- GP name: *NC_AdvancedSettings* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can configure advanced TCP/IP settings. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. + +This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration. + +Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off. + +> [!NOTE] +> Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. + +> [!TIP] +> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit TCP/IP advanced configuration* +- GP name: *NC_AllowAdvancedTCPIPConfig* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_ChangeBindState** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether administrators can enable and disable the components used by LAN connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. + +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection. +> +> Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit Enabling/Disabling components of a LAN connection* +- GP name: *NC_ChangeBindState* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DeleteAllUserConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete all user remote access connections. + +To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. + +If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. + +When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored. + +> [!NOTE] +> LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to delete all user remote access connections* +- GP name: *NC_DeleteAllUserConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DeleteConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete remote access connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) + +When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. + +> [!NOTE] +> LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit deletion of remote access connections* +- GP name: *NC_DeleteConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DialupPrefs** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. + +The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to the Remote Access Preferences item on the Advanced menu* +- GP name: *NC_DialupPrefs* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether or not the "local access only" network icon will be shown. + +When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. + +If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not show the "local access only" network icon* +- GP name: *NC_DoNotShowLocalOnlyIcon* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_EnableAdminProhibits** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. + +The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. + +By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. + +If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. + +If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. + +> [!NOTE] +> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Windows 2000 Network Connections settings for Administrators* +- GP name: *NC_EnableAdminProhibits* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_ForceTunneling** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. + +When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. + +If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network. + +If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + +If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Route all traffic through the internal network* +- GP name: *NC_ForceTunneling* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_IpStateChecking** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. + +If you enable this policy setting, this condition will not be reported as an error to the user. + +If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off notifications when a connection has only limited or no connectivity* +- GP name: *NC_IpStateChecking* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_LanChangeProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. + +This setting determines whether the Properties button for components of a LAN connection is enabled. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators. + +The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. + +> [!NOTE] +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. +> +> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components. +> +> Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users. +> +> Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to properties of components of a LAN connection* +- GP name: *NC_LanChangeProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_LanConnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can enable/disable LAN connections. + +If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. + +> [!NOTE] +> Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to Enable/Disable a LAN connection* +- GP name: *NC_LanConnect* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_LanProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can change the properties of a LAN connection. + +This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. + +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. +> +> Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to properties of a LAN connection* +- GP name: *NC_LanProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_NewConnectionWizard** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. + +> [!NOTE] +> Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to the New Connection Wizard* +- GP name: *NC_NewConnectionWizard* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_PersonalFirewallConfig** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. + +Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. + +> [!IMPORTANT] +> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. + +The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats. + +If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. + +If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. + +If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit use of Internet Connection Firewall on your DNS domain network* +- GP name: *NC_PersonalFirewallConfig* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasAllUserProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. + +To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. + +This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users. + +If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. + +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to change properties of an all user remote access connection* +- GP name: *NC_RasAllUserProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasChangeProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. + +This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Properties button is enabled for all users. + +The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. + +> [NOTE] +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. +> +> When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to properties of components of a remote access connection* +- GP name: *NC_RasChangeProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasConnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can connect and disconnect remote access connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit connecting and disconnecting a remote access connection* +- GP name: *NC_RasConnect* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasMyProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of their private remote access connections. + +Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. + +This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a private connection is available to users. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. + +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit changing properties of a private remote access connection* +- GP name: *NC_RasMyProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameAllUserRasConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename all-user remote access connections. + +To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. + +If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu. + +If you disable this setting, the Rename option is disabled for nonadministrators only. + +If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. + +> [!NOTE] +> This setting does not apply to Administrators. + +When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply. + +This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to rename all user remote access connections* +- GP name: *NC_RenameAllUserRasConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether users can rename LAN or all user remote access connections. + +If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If this setting is not configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections. + +> [!NOTE] +> When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to rename LAN connections or remote access connections available to all users* +- GP name: *NC_RenameConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameLanConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename a LAN connection. + +If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. + +If you disable this setting, the Rename option is disabled for nonadministrators only. + +If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections + +> [!NOTE] +> This setting does not apply to Administrators. + +When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to rename LAN connections* +- GP name: *NC_RenameLanConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameMyRasConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can rename their private remote access connections. + +Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. + +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit renaming private remote access connections* +- GP name: *NC_RenameMyRasConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_ShowSharedAccessUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. + +ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. + +If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. + +If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) + +By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. + +> [!NOTE] +> Internet Connection Sharing is only available when two or more network connections are present. + +When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. + +Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. + +Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network* +- GP name: *NC_ShowSharedAccessUI* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_Statistics** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view the status for an active connection. + +Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. + +If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit viewing of status for an active connection* +- GP name: *NC_Statistics* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_StdDomainUserSetLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether to require domain users to elevate when setting a network's location. + +If you enable this policy setting, domain users must elevate when setting a network's location. + +If you disable or do not configure this policy setting, domain users can set a network's location without elevating. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require domain users to elevate when setting a network's location* +- GP name: *NC_StdDomainUserSetLocation* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md new file mode 100644 index 0000000000..7113d20ba1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -0,0 +1,351 @@ +--- +title: Policy CSP - ADMX_PowerShellExecutionPolicy +description: Policy CSP - ADMX_PowerShellExecutionPolicy +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/26/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PowerShellExecutionPolicy +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_PowerShellExecutionPolicy policies + +
+
+ ADMX_PowerShellExecutionPolicy/EnableModuleLogging +
+
+ ADMX_PowerShellExecutionPolicy/EnableScripts +
+
+ ADMX_PowerShellExecutionPolicy/EnableTranscripting +
+
+ ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +
+
+ + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableModuleLogging** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging for Windows PowerShell modules. + +If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. + +If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. + +To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. + +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Module Logging* +- GP name: *EnableModuleLogging* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableScripts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. + +If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. + +The "Allow local scripts and remote signed scripts" policy setting allows any local scripts to run; scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run. + +If you disable this policy setting, no scripts are allowed to run. + +> [!NOTE] +> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Script Execution* +- GP name: *EnableScripts* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableTranscripting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. + +If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. + +If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet. + +If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers. + +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on PowerShell Transcription* +- GP name: *EnableTranscripting* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. + +If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. + +If this policy setting is disabled or not configured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet. + +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the default source path for Update-Help* +- GP name: *EnableUpdateHelpDefaultSourcePath* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md new file mode 100644 index 0000000000..00ff56dafe --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -0,0 +1,401 @@ +--- +title: Policy CSP - ADMX_Sensors +description: Policy CSP - ADMX_Sensors +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/22/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Sensors +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Sensors policies + +
+
+ ADMX_Sensors/DisableLocationScripting_1 +
+
+ ADMX_Sensors/DisableLocationScripting_2 +
+
+ ADMX_Sensors/DisableLocation_1 +
+
+ ADMX_Sensors/DisableSensors_1 +
+
+ ADMX_Sensors/DisableSensors_2 +
+
+ + +
+ + +**ADMX_Sensors/DisableLocationScripting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature. + +If you enable this policy setting, scripts for the location feature will not run. + +If you disable or do not configure this policy setting, all location scripts will run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off location scripting* +- GP name: *DisableLocationScripting_1* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableLocationScripting_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature. + +If you enable this policy setting, scripts for the location feature will not run. + +If you disable or do not configure this policy setting, all location scripts will run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off location scripting* +- GP name: *DisableLocationScripting_2* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableLocation_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the location feature for this computer. + +If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. + +If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off location* +- GP name: *DisableLocation_1* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableSensors_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer. + +If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. + +If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off sensors* +- GP name: *DisableSensors_1* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableSensors_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer. + +If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. + +If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off sensors* +- GP name: *DisableSensors_2* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md new file mode 100644 index 0000000000..09955c429e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -0,0 +1,5010 @@ +--- +title: Policy CSP - ADMX_StartMenu +description: Policy CSP - ADMX_StartMenu +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/20/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_StartMenu +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_StartMenu policies + +
+
+ ADMX_StartMenu/AddSearchInternetLinkInStartMenu +
+
+ ADMX_StartMenu/ClearRecentDocsOnExit +
+
+ ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu +
+
+ ADMX_StartMenu/ClearTilesOnExit +
+
+ ADMX_StartMenu/DesktopAppsFirstInAppsView +
+
+ ADMX_StartMenu/DisableGlobalSearchOnAppsView +
+
+ ADMX_StartMenu/ForceStartMenuLogOff +
+
+ ADMX_StartMenu/GoToDesktopOnSignIn +
+
+ ADMX_StartMenu/GreyMSIAds +
+
+ ADMX_StartMenu/HidePowerOptions +
+
+ ADMX_StartMenu/Intellimenus +
+
+ ADMX_StartMenu/LockTaskbar +
+
+ ADMX_StartMenu/MemCheckBoxInRunDlg +
+
+ ADMX_StartMenu/NoAutoTrayNotify +
+
+ ADMX_StartMenu/NoBalloonTip +
+
+ ADMX_StartMenu/NoChangeStartMenu +
+
+ ADMX_StartMenu/NoClose +
+
+ ADMX_StartMenu/NoCommonGroups +
+
+ ADMX_StartMenu/NoFavoritesMenu +
+
+ ADMX_StartMenu/NoFind +
+
+ ADMX_StartMenu/NoGamesFolderOnStartMenu +
+
+ ADMX_StartMenu/NoHelp +
+
+ ADMX_StartMenu/NoInstrumentation +
+
+ ADMX_StartMenu/NoMoreProgramsList +
+
+ ADMX_StartMenu/NoNetAndDialupConnect +
+
+ ADMX_StartMenu/NoPinnedPrograms +
+
+ ADMX_StartMenu/NoRecentDocsMenu +
+
+ ADMX_StartMenu/NoResolveSearch +
+
+ ADMX_StartMenu/NoResolveTrack +
+
+ ADMX_StartMenu/NoRun +
+
+ ADMX_StartMenu/NoSMConfigurePrograms +
+
+ ADMX_StartMenu/NoSMMyDocuments +
+
+ ADMX_StartMenu/NoSMMyMusic +
+
+ ADMX_StartMenu/NoSMMyNetworkPlaces +
+
+ ADMX_StartMenu/NoSMMyPictures +
+
+ ADMX_StartMenu/NoSearchCommInStartMenu +
+
+ ADMX_StartMenu/NoSearchComputerLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchFilesInStartMenu +
+
+ ADMX_StartMenu/NoSearchInternetInStartMenu +
+
+ ADMX_StartMenu/NoSearchProgramsInStartMenu +
+
+ ADMX_StartMenu/NoSetFolders +
+
+ ADMX_StartMenu/NoSetTaskbar +
+
+ ADMX_StartMenu/NoStartMenuDownload +
+
+ ADMX_StartMenu/NoStartMenuHomegroup +
+
+ ADMX_StartMenu/NoStartMenuRecordedTV +
+
+ ADMX_StartMenu/NoStartMenuSubFolders +
+
+ ADMX_StartMenu/NoStartMenuVideos +
+
+ ADMX_StartMenu/NoStartPage +
+
+ ADMX_StartMenu/NoTaskBarClock +
+
+ ADMX_StartMenu/NoTaskGrouping +
+
+ ADMX_StartMenu/NoToolbarsOnTaskbar +
+
+ ADMX_StartMenu/NoTrayContextMenu +
+
+ ADMX_StartMenu/NoTrayItemsDisplay +
+
+ ADMX_StartMenu/NoUninstallFromStart +
+
+ ADMX_StartMenu/NoUserFolderOnStartMenu +
+
+ ADMX_StartMenu/NoUserNameOnStartMenu +
+
+ ADMX_StartMenu/NoWindowsUpdate +
+
+ ADMX_StartMenu/PowerButtonAction +
+
+ ADMX_StartMenu/QuickLaunchEnabled +
+
+ ADMX_StartMenu/RemoveUnDockPCButton +
+
+ ADMX_StartMenu/ShowAppsViewOnStart +
+
+ ADMX_StartMenu/ShowRunAsDifferentUserInStart +
+
+ ADMX_StartMenu/ShowRunInStartMenu +
+
+ ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey +
+
+ ADMX_StartMenu/StartMenuLogOff +
+
+ ADMX_StartMenu/StartPinAppsWhenInstalled +
+
+ + +
+ + +**ADMX_StartMenu/AddSearchInternetLinkInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. + +If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. + +If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Search Internet link to Start Menu* +- GP name: *AddSearchInternetLinkInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ClearRecentDocsOnExit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Clear history of recently opened documents on exit. + +If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. + +If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. + +> [!NOTE] +> The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. + +Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this setting when neither of these related settings are selected. + +This setting does not clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting. + +This policy setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. + +This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Clear history of recently opened documents on exit* +- GP name: *ClearRecentDocsOnExit* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. + +If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Clear the recent programs list for new users* +- GP name: *ClearRecentProgForNewUserInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ClearTilesOnExit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. + +If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. + +This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Clear tile notifications during log on* +- GP name: *ClearTilesOnExit* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/DesktopAppsFirstInAppsView** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows desktop apps to be listed first in the Apps view in Start. + +If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. + +If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List desktop apps first in the Apps view* +- GP name: *DesktopAppsFirstInAppsView* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/DisableGlobalSearchOnAppsView** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. + +This policy setting is only applied when the Apps view is set as the default view for Start. + +If you enable this policy setting, searching from the Apps view will only search the list of installed apps. + +If you disable or don’t configure this policy setting, the user can configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Search just apps from the Apps view* +- GP name: *DisableGlobalSearchOnAppsView* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ForceStartMenuLogOff** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy only applies to the classic version of the start menu and does not affect the new style start menu. + +Adds the "Log Off ``" item to the Start menu and prevents users from removing it. + +If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu. + +If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. + +This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. + +Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. + +Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Logoff to the Start Menu* +- GP name: *ForceStartMenuLogOff* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/GoToDesktopOnSignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to go to the desktop instead of the Start screen when they sign in. + +If you enable this policy setting, users will always go to the desktop when they sign in. + +If you disable this policy setting, users will always go to the Start screen when they sign in. + +If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Go to the desktop instead of Start when signing in* +- GP name: *GoToDesktopOnSignIn* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/GreyMSIAds** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Displays Start menu shortcuts to partially installed programs in gray text. + +This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed. + +Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use. + +If you disable this setting or do not configure it, all Start menu shortcuts appear as black text. + +> [!NOTE] +> Enabling this setting can make the Start menu slow to open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Gray unavailable Windows Installer programs Start Menu shortcuts* +- GP name: *GreyMSIAds* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/HidePowerOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. + +If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen. + +If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* +- GP name: *HidePowerOptions* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/Intellimenus** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables personalized menus. + +Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. + +If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect. + +> [!NOTE] +> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. + +To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off personalized menus* +- GP name: *Intellimenus* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/LockTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar, which is used to switch between running applications. + +The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized. + +If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties. + +If you disable this setting or do not configure it, the user can configure the taskbar position. + +> [!NOTE] +> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lock the Taskbar* +- GP name: *LockTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/MemCheckBoxInRunDlg** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. + +All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously. + +Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add "Run in Separate Memory Space" check box to Run dialog box* +- GP name: *MemCheckBoxInRunDlg* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoAutoTrayNotify** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area, also called the "system tray." + +The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron." + +If you enable this setting, the system notification area expands to show all of the notifications that use this area. + +If you disable this setting, the system notification area will always collapse notifications. + +If you do not configure it, the user can choose if they want notifications collapsed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off notification area cleanup* +- GP name: *NoAutoTrayNotify* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoBalloonTip** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Hides pop-up text on the Start menu and in the notification area. + +When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object. + +If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. + +If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Balloon Tips on Start Menu items* +- GP name: *NoBalloonTip* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoChangeStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from changing their Start screen layout. + +If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. + +If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from customizing their Start Screen* +- GP name: *NoChangeStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoClose** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. + +If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. + +If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. + +> [!NOTE] +> Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* +- GP name: *NoClose* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoCommonGroups** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes items in the All Users profile from the Programs menu on the Start menu. + +By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu. + +To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove common program groups from Start Menu* +- GP name: *NoCommonGroups* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoFavoritesMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding the Favorites menu to the Start menu or classic Start menu. + +If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. + +If you disable or do not configure this setting, the Display Favorite item is available. + +> [!NOTE] +> The Favorities menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. +> +> The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. +> +> This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Favorites menu from Start Menu* +- GP name: *NoFavoritesMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoFind** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. Note that this does not remove the search box from the new style Start menu. + +If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. + +Note: Enabling this policy setting also prevents the user from using the F3 key. + +In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder. + +This policy setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search. + +If you disable or do not configure this policy setting, the Search link is available from the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Search link from Start Menu* +- GP name: *NoFind* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoGamesFolderOnStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the Games folder. + +If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Games link from Start Menu* +- GP name: *NoGamesFolderOnStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoHelp** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Help command from the Start menu. + +If you enable this policy setting, the Help command is removed from the Start menu. + +If you disable or do not configure this policy setting, the Help command is available from the Start menu. + +This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Help menu from Start Menu* +- GP name: *NoHelp* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoInstrumentation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off user tracking. + +If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu. + +If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. + +Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus". + +This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off user tracking* +- GP name: *NoInstrumentation* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoMoreProgramsList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. + +Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. + +Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. + +Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows. + +If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove All Programs list from the Start menu* +- GP name: *NoMoreProgramsList* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoNetAndDialupConnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Network Connections from the Start Menu. + +If you enable this policy setting, users are prevented from running Network Connections. + +Enabling this policy setting prevents the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu. + +Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action. + +If you disable or do not configure this policy setting, Network Connections is available from the Start Menu. + +Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Network Connections from Start Menu* +- GP name: *NoNetAndDialupConnect* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoPinnedPrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. + +In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. + +If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove pinned programs list from the Start Menu* +- GP name: *NoPinnedPrograms* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoRecentDocsMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. + +The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. + +If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on. + +If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu. + +When the setting is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it. + +If the setting is not configured, users can turn the Recent Items menu on and off. + +> [!NOTE] +> This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. + +This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Recent Items menu from Start Menu* +- GP name: *NoRecentDocsMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoResolveSearch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. + +If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found. + +If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. + +> [!NOTE] +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. + +Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not use the search-based method when resolving shell shortcuts* +- GP name: *NoResolveSearch* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoResolveTrack** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. + +If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. + +If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. + +> [!NOTE] +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. + +Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not use the tracking-based method when resolving shell shortcuts* +- GP name: *NoResolveTrack* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoRun** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. + +If you enable this setting, the following changes occur: + +1. The Run command is removed from the Start menu. + +2. The New Task (Run) command is removed from Task Manager. + +3. The user will be blocked from entering the following into the Internet Explorer Address Bar: + + - A UNC path: `\\\` + + - Accessing local drives: e.g., C: + + - Accessing local folders: e.g., `\` + +Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. + +If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. + +> [!NOTE] +> This setting affects the specified interface only. It does not prevent users from using other methods to run programs. +> +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Run menu from Start Menu* +- GP name: *NoRun* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMConfigurePrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Default Programs link from the Start menu. + +If you enable this policy setting, the Default Programs link is removed from the Start menu. + +Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. + +If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu. + +> [!NOTE] +> This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Default Programs link from the Start menu.* +- GP name: *NoSMConfigurePrograms* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyDocuments** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Documents icon from the Start menu and its submenus. + +If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. + +> [!NOTE] +> To make changes to this policy setting effective, you must log off and then log on. + +If you disable or do not configure this policy setting, he Documents icon is available from the Start menu. + +Also, see the "Remove Documents icon on the desktop" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Documents icon from Start Menu* +- GP name: *NoSMMyDocuments* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyMusic** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Music icon from Start Menu. + +If you enable this policy setting, the Music icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Music icon is available from Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Music icon from Start Menu* +- GP name: *NoSMMyMusic* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyNetworkPlaces** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build.This policy setting allows you to remove the Network icon from Start Menu. + +If you enable this policy setting, the Network icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Network icon is available from Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Network icon from Start Menu* +- GP name: *NoSMMyNetworkPlaces* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyPictures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Pictures icon from Start Menu. + +If you enable this policy setting, the Pictures icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Pictures icon from Start Menu* +- GP name: *NoSMMyPictures* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchCommInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for communications. + +If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search communications* +- GP name: *NoSearchCommInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchComputerLinkInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. + +If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Search Computer link* +- GP name: *NoSearchComputerLinkInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + +If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove See More Results / Search Everywhere link* +- GP name: *NoSearchEverywhereLinkInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchFilesInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for files. + +If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search for files* +- GP name: *NoSearchFilesInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchInternetInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for internet history or favorites. + +If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search Internet* +- GP name: *NoSearchInternetInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchProgramsInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. + +If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search programs and Control Panel items* +- GP name: *NoSearchProgramsInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSetFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove programs on Settings menu. + +If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. + +However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. + +If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. + +Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove programs on Settings menu* +- GP name: *NoSetFolders* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSetTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. + +If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. + +If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. + +If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changes to Taskbar and Start Menu Settings* +- GP name: *NoSetTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuDownload** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Downloads link from the Start Menu. + +If you enable this policy setting, the Start Menu does not show a link to the Downloads folder. + +If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Downloads link from Start Menu* +- GP name: *NoStartMenuDownload* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuHomegroup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. + +If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Homegroup link from Start Menu* +- GP name: *NoStartMenuHomegroup* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuRecordedTV** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Recorded TV link from the Start Menu. + +If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library. + +If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Recorded TV link from Start Menu* +- GP name: *NoStartMenuRecordedTV* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuSubFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden. + +This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders. + +Note that this setting hides all user-specific folders, not just those associated with redirected folders. + +If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. + +If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove user's folders from the Start Menu* +- GP name: *NoStartMenuSubFolders* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuVideos** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Videos link from the Start Menu. + +If you enable this policy setting, the Start Menu does not show a link to the Videos library. + +If you disable or do not configure this policy setting, the Videos link is available from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Videos link from Start Menu* +- GP name: *NoStartMenuVideos* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the presentation of the Start menu. + +The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. + +If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. + +If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. + +If you do not configure this setting, the default is the new style, and the user can change the view. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force classic Start Menu* +- GP name: *NoStartPage* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTaskBarClock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents the clock in the system notification area from being displayed. + +If you enable this setting, the clock will not be displayed in the system notification area. + +If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Clock from the system notification area* +- GP name: *NoTaskBarClock* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTaskGrouping** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar buttons used to switch between running programs. + +Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full. + +If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. + +If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent grouping of taskbar items* +- GP name: *NoTaskGrouping* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoToolbarsOnTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar. + +The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application. + +If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. + +If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display any custom toolbars in the taskbar* +- GP name: *NoToolbarsOnTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTrayContextMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to the context menus for the taskbar. + +If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. + +If you disable or do not configure this policy setting, the context menus for the taskbar are available. + +This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove access to the context menus for the taskbar* +- GP name: *NoTrayContextMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTrayItemsDisplay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area (previously called the "system tray") on the taskbar. + +The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. + +If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. + +If this setting is disabled or is not configured, the notification area is shown in the user's taskbar. + +> [!NOTE] +> Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the notification area* +- GP name: *NoTrayItemsDisplay* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoUninstallFromStart** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, users cannot uninstall apps from Start. + +If you disable this setting or do not configure it, users can access the uninstall command from Start. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from uninstalling applications from Start* +- GP name: *NoUninstallFromStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoUserFolderOnStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the user's storage folder. + +If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove user folder link from Start Menu* +- GP name: *NoUserFolderOnStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoUserNameOnStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003. + +If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003. + +To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting. + +If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove user name from Start Menu* +- GP name: *NoUserNameOnStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoWindowsUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove links and access to Windows Update. + +If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. + +Enabling this policy setting blocks user access to the Windows Update Web site at https://windowsupdate.microsoft.com. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. + +Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. + +If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. + +Also, see the "Hide the "Add programs from Microsoft" option" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove links and access to Windows Update* +- GP name: *NoWindowsUpdate* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/PowerButtonAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Set the default action of the power button on the Start menu. + +If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. + +If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down. + +If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Change Start Menu power button* +- GP name: *PowerButtonAction* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/QuickLaunchEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. + +If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. + +If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on. + +If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show QuickLaunch on Taskbar* +- GP name: *QuickLaunchEnabled* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/RemoveUnDockPCButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. + +If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the "Undock PC" button from the Start Menu* +- GP name: *RemoveUnDockPCButton* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowAppsViewOnStart** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Apps view to be opened by default when the user goes to Start. + +If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. + +If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show the Apps view automatically when the user goes to Start* +- GP name: *ShowAppsViewOnStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowRunAsDifferentUserInStart** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting shows or hides the "Run as different user" command on the Start application bar. + +If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality. + +If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications. + +> [!NOTE] +> This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show "Run as different user" command on Start* +- GP name: *ShowRunAsDifferentUserInStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowRunInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Run command is added to the Start menu. + +If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. + +If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add the Run command to the Start Menu* +- GP name: *ShowRunInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. + +If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key. + +If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show Start on the display the user is using when they press the Windows logo key* +- GP name: *ShowStartOnDisplayWithForegroundOnWinKey* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/StartMenuLogOff** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it. + +If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu. + +If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. + +This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off. + +Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. + +See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Logoff on the Start Menu* +- GP name: *StartMenuLogOff* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/StartPinAppsWhenInstalled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pin Apps to Start when installed* +- GP name: *StartPinAppsWhenInstalled* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md new file mode 100644 index 0000000000..d7177153a7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -0,0 +1,1663 @@ +--- +title: Policy CSP - ADMX_Taskbar +description: Policy CSP - ADMX_Taskbar +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/26/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Taskbar +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Taskbar policies + +
+
+ ADMX_Taskbar/DisableNotificationCenter +
+
+ ADMX_Taskbar/EnableLegacyBalloonNotifications +
+
+ ADMX_Taskbar/HideSCAHealth +
+
+ ADMX_Taskbar/HideSCANetwork +
+
+ ADMX_Taskbar/HideSCAPower +
+
+ ADMX_Taskbar/HideSCAVolume +
+
+ ADMX_Taskbar/NoBalloonFeatureAdvertisements +
+
+ ADMX_Taskbar/NoPinningStoreToTaskbar +
+
+ ADMX_Taskbar/NoPinningToDestinations +
+
+ ADMX_Taskbar/NoPinningToTaskbar +
+
+ ADMX_Taskbar/NoRemoteDestinations +
+
+ ADMX_Taskbar/NoSystraySystemPromotion +
+
+ ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar +
+
+ ADMX_Taskbar/TaskbarLockAll +
+
+ ADMX_Taskbar/TaskbarNoAddRemoveToolbar +
+
+ ADMX_Taskbar/TaskbarNoDragToolbar +
+
+ ADMX_Taskbar/TaskbarNoMultimon +
+
+ ADMX_Taskbar/TaskbarNoNotification +
+
+ ADMX_Taskbar/TaskbarNoPinnedList +
+
+ ADMX_Taskbar/TaskbarNoRedock +
+
+ ADMX_Taskbar/TaskbarNoResize +
+
+ ADMX_Taskbar/TaskbarNoThumbnail +
+
+ + +
+ + +**ADMX_Taskbar/DisableNotificationCenter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes Notifications and Action Center from the notification area on the taskbar. + +The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. + +If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss. + +If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. + +A reboot is required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Notifications and Action Center* +- GP name: *DisableNotificationCenter* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/EnableLegacyBalloonNotifications** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy disables the functionality that converts balloons to toast notifications. + +If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. + +Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications. + +If you disable or don’t configure this policy setting, all notifications will appear as toast notifications. + +A reboot is required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable showing balloon notifications as toasts.* +- GP name: *EnableLegacyBalloonNotifications* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCAHealth** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Security and Maintenance from the system control area. + +If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the Security and Maintenance icon* +- GP name: *HideSCAHealth* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCANetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the networking icon from the system control area. + +If you enable this policy setting, the networking icon is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the networking icon* +- GP name: *HideSCANetwork* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCAPower** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the battery meter from the system control area. + +If you enable this policy setting, the battery meter is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the battery meter* +- GP name: *HideSCAPower* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCAVolume** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the volume control icon from the system control area. + +If you enable this policy setting, the volume control icon is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the volume control icon* +- GP name: *HideSCAVolume* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoBalloonFeatureAdvertisements** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off feature advertisement balloon notifications. + +If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. + +If you disable do not configure this policy setting, feature advertisement balloons are shown. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off feature advertisement balloon notifications* +- GP name: *NoBalloonFeatureAdvertisements* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoPinningStoreToTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning the Store app to the Taskbar. + +If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login. + +If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow pinning Store app to the Taskbar* +- GP name: *NoPinningStoreToTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoPinningToDestinations** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning items in Jump Lists. + +If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. + +If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow pinning items in Jump Lists* +- GP name: *NoPinningToDestinations* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoPinningToTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning programs to the Taskbar. + +If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. + +If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow pinning programs to the Taskbar* +- GP name: *NoPinningToTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/NoRemoteDestinations** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. + +The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks. + +If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. + +If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display or track items in Jump Lists from remote locations* +- GP name: *NoRemoteDestinations* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/NoSystraySystemPromotion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. + +If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. + +If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic promotion of notification icons to the taskbar* +- GP name: *NoSystraySystemPromotion* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to see Windows Store apps on the taskbar. + +If you enable this policy setting, users will see Windows Store apps on the taskbar. + +If you disable this policy setting, users won’t see Windows Store apps on the taskbar. + +If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show Windows Store apps on the taskbar* +- GP name: *ShowWindowsStoreAppsOnTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarLockAll** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to lock all taskbar settings. + +If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. + +If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lock all taskbar settings* +- GP name: *TaskbarLockAll* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoAddRemoveToolbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from adding or removing toolbars. + +If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. + +If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from adding or removing toolbars* +- GP name: *TaskbarNoAddRemoveToolbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoDragToolbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from rearranging toolbars. + +If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. + +If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from rearranging toolbars* +- GP name: *TaskbarNoDragToolbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoMultimon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent taskbars from being displayed on more than one monitor. + +If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. + +If you disable or do not configure this policy setting, users can show taskbars on more than one display. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow taskbars on more than one display* +- GP name: *TaskbarNoMultimon* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off all notification balloons. + +If you enable this policy setting, no notification balloons are shown to the user. + +If you disable or do not configure this policy setting, notification balloons are shown to the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off all balloon notifications* +- GP name: *TaskbarNoNotification* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoPinnedList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove pinned programs from the taskbar. + +If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. + +If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove pinned programs from the Taskbar* +- GP name: *TaskbarNoPinnedList* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoRedock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from moving taskbar to another screen dock location. + +If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). + +If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from moving taskbar to another screen dock location* +- GP name: *TaskbarNoRedock* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoResize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from resizing the taskbar. + +If you enable this policy setting, users are not be able to resize their taskbar. + +If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from resizing the taskbar* +- GP name: *TaskbarNoResize* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoThumbnail** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off taskbar thumbnails. + +If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. + +If you disable or do not configure this policy setting, the taskbar thumbnails are displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off taskbar thumbnails* +- GP name: *TaskbarNoThumbnail* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md new file mode 100644 index 0000000000..0590f12265 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -0,0 +1,272 @@ +--- +title: Policy CSP - ADMX_WCM +description: Policy CSP - ADMX_WCM +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/22/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WCM +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WCM policies + +
+
+ ADMX_WCM/WCM_DisablePowerManagement +
+
+ ADMX_WCM/WCM_EnableSoftDisconnect +
+
+ ADMX_WCM/WCM_MinimizeConnections +
+
+ + +
+ + +**ADMX_WCM/WCM_DisablePowerManagement** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that power management is disabled when the machine enters connected standby mode. + +If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. + +If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable power management in connected standby mode* +- GP name: *WCM_DisablePowerManagement* +- GP path: *Network\Windows Connection Manager* +- GP ADMX file name: *WCM.admx* + + + +
+ + +**ADMX_WCM/WCM_EnableSoftDisconnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows will soft-disconnect a computer from a network. + +If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. + +If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. + +When soft disconnect is enabled: + +- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. +- Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection. +- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they’re not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network. + +This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Windows to soft-disconnect a computer from a network* +- GP name: *WCM_EnableSoftDisconnect* +- GP path: *Network\Windows Connection Manager* +- GP ADMX file name: *WCM.admx* + + + +
+ + +**ADMX_WCM/WCM_MinimizeConnections** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. + +If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. + +If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8. + +If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). + +If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection. + +This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Minimize the number of simultaneous connections to the Internet or a Windows Domain* +- GP name: *WCM_MinimizeConnections* +- GP path: *Network\Windows Connection Manager* +- GP ADMX file name: *WCM.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md new file mode 100644 index 0000000000..c293e80086 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -0,0 +1,5367 @@ +--- +title: Policy CSP - ADMX_WindowsExplorer +description: Policy CSP - ADMX_WindowsExplorer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/29/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsExplorer +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + + +## ADMX_WindowsExplorer policies + +
+
+ ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS +
+
+ ADMX_WindowsExplorer/ClassicShell +
+
+ ADMX_WindowsExplorer/ConfirmFileDelete +
+
+ ADMX_WindowsExplorer/DefaultLibrariesLocation +
+
+ ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +
+
+ ADMX_WindowsExplorer/DisableIndexedLibraryExperience +
+
+ ADMX_WindowsExplorer/DisableKnownFolders +
+
+ ADMX_WindowsExplorer/DisableSearchBoxSuggestions +
+
+ ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath +
+
+ ADMX_WindowsExplorer/EnableSmartScreen +
+
+ ADMX_WindowsExplorer/EnforceShellExtensionSecurity +
+
+ ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +
+
+ ADMX_WindowsExplorer/HideContentViewModeSnippets +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +
+
+ ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo +
+
+ ADMX_WindowsExplorer/MaxRecentDocs +
+
+ ADMX_WindowsExplorer/NoBackButton +
+
+ ADMX_WindowsExplorer/NoCDBurning +
+
+ ADMX_WindowsExplorer/NoCacheThumbNailPictures +
+
+ ADMX_WindowsExplorer/NoChangeAnimation +
+
+ ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators +
+
+ ADMX_WindowsExplorer/NoDFSTab +
+
+ ADMX_WindowsExplorer/NoDrives +
+
+ ADMX_WindowsExplorer/NoEntireNetwork +
+
+ ADMX_WindowsExplorer/NoFileMRU +
+
+ ADMX_WindowsExplorer/NoFileMenu +
+
+ ADMX_WindowsExplorer/NoFolderOptions +
+
+ ADMX_WindowsExplorer/NoHardwareTab +
+
+ ADMX_WindowsExplorer/NoManageMyComputerVerb +
+
+ ADMX_WindowsExplorer/NoMyComputerSharedDocuments +
+
+ ADMX_WindowsExplorer/NoNetConnectDisconnect +
+
+ ADMX_WindowsExplorer/NoNewAppAlert +
+
+ ADMX_WindowsExplorer/NoPlacesBar +
+
+ ADMX_WindowsExplorer/NoRecycleFiles +
+
+ ADMX_WindowsExplorer/NoRunAsInstallPrompt +
+
+ ADMX_WindowsExplorer/NoSearchInternetTryHarderButton +
+
+ ADMX_WindowsExplorer/NoSecurityTab +
+
+ ADMX_WindowsExplorer/NoShellSearchButton +
+
+ ADMX_WindowsExplorer/NoStrCmpLogical +
+
+ ADMX_WindowsExplorer/NoViewContextMenu +
+
+ ADMX_WindowsExplorer/NoViewOnDrive +
+
+ ADMX_WindowsExplorer/NoWindowsHotKeys +
+
+ ADMX_WindowsExplorer/NoWorkgroupContents +
+
+ ADMX_WindowsExplorer/PlacesBar +
+
+ ADMX_WindowsExplorer/PromptRunasInstallNetPath +
+
+ ADMX_WindowsExplorer/RecycleBinSize +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 +
+
+ ADMX_WindowsExplorer/ShowHibernateOption +
+
+ ADMX_WindowsExplorer/ShowSleepOption +
+
+ ADMX_WindowsExplorer/TryHarderPinnedLibrary +
+
+ ADMX_WindowsExplorer/TryHarderPinnedOpenSearch +
+
+ + +
+ + +**ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. + +If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted. + +If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different. + +> [!NOTE] +> If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Verify old and new Folder Redirection targets point to the same share before redirecting* +- GP name: *CheckSameSourceAndTargetForFRAndDFS* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/ClassicShell** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. + +If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. + +Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. + +If you disable or not configure this policy, the default File Explorer behavior is applied to the user. + +> [!NOTE] +> In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Classic Shell* +- GP name: *ClassicShell* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ConfirmFileDelete** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. + +If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. + +If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display confirmation dialog when deleting files* +- GP name: *ConfirmFileDelete* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DefaultLibrariesLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a location where all default Library definition files for users/machines reside. + +If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. + +If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Location where all default Library definition files for users/machines reside.* +- GP name: *DefaultLibrariesLocation* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. + +This behavior is consistent with Windows Vista's behavior in this scenario. + +This disables access to user-defined properties, and properties stored in NTFS secondary streams. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable binding directly to IPropertySetStorage without intermediate layers.* +- GP name: *DisableBindDirectlyToPropertySetStorage* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DisableIndexedLibraryExperience** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. + +If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. + +Setting this policy will: + +- Disable all Arrangement views except for "By Folder" +- Disable all Search filter suggestions other than "Date Modified" and "Size" +- Disable view of file content snippets in Content mode when search results are returned +- Disable ability to stack in the Context menu and Column headers +- Exclude Libraries from the scope of Start search This policy will not enable users to add unsupported locations to Libraries + +If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. + +If you disable or do not configure this policy, all default Windows Libraries features will be enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Libraries features that rely on indexed file data* +- GP name: *DisableIndexedLibraryExperience* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/DisableKnownFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of known folders that should be disabled. + +Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. + +You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. + +> [!NOTE] +> Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Known Folders* +- GP name: *DisableKnownFolders* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DisableSearchBoxSuggestions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. + +File Explorer shows suggestion pop-ups as users type into the Search Box. + +These suggestions are based on their past entries into the Search Box. + +> [!NOTE] +> If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off display of recent search entries in the File Explorer search box* +- GP name: *DisableSearchBoxSuggestions* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. + +If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. + +If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. + +> [!NOTE] +> Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow the use of remote paths in file shortcut icons* +- GP name: *EnableShellShortcutIconRemotePath* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/EnableSmartScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. + +Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. + +If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: + +- Warn and prevent bypass +- Warn + +If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. + +If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. + +If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Windows Defender SmartScreen* +- GP name: *EnableSmartScreen* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/EnforceShellExtensionSecurity** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting is designed to ensure that shell extensions can operate on a per-user basis. + +If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry. + +For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + +For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only per user or approved shell extensions* +- GP name: *EnforceShellExtensionSecurity* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. + +If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. + +If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Start File Explorer with ribbon minimized* +- GP name: *ExplorerRibbonStartsMinimized* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/HideContentViewModeSnippets** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the display of snippets in Content view mode. + +If you enable this policy setting, File Explorer will not display snippets in Content view mode. + +If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the display of snippets in Content view mode* +- GP name: *HideContentViewModeSnippets* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Internet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_InternetLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Intranet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_IntranetLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_LocalMachine* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_LocalMachineLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Restricted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_RestrictedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Trusted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_TrustedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Internet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_InternetLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Intranet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_IntranetLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_LocalMachine* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_LocalMachineLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Restricted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_RestrictedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Trusted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_TrustedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system. + +Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server. + +If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. + +If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not track Shell shortcuts during roaming* +- GP name: *LinkResolveIgnoreLinkInfo* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/MaxRecentDocs** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. + +If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. + +If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum number of recent documents* +- GP name: *MaxRecentDocs* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoBackButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. + +If you enable this policy setting, the Back button is removed from the standard Open dialog box. + +If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the common dialog back button* +- GP name: *NoBackButton* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoCDBurning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. + +If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. + +If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features. + +> [!NOTE] +> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove CD Burning features* +- GP name: *NoCDBurning* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoCacheThumbNailPictures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off caching of thumbnail pictures. + +If you enable this policy setting, thumbnail views are not cached. + +If you disable or do not configure this policy setting, thumbnail views are cached. + +> [!NOTE] +> For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off caching of thumbnail pictures* +- GP name: *NoCacheThumbNailPictures* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoChangeAnimation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. + +If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. + +Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users. + +If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove UI to change menu animation setting* +- GP name: *NoChangeAnimation* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. + +Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove UI to change keyboard navigation indicator setting* +- GP name: *NoChangeKeyboardNavigationIndicators* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoDFSTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the DFS tab from File Explorer. + +If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS. + +If you disable or do not configure this policy setting, the DFS tab is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove DFS tab* +- GP name: *NoDFSTab* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoDrives** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide these specified drives in My Computer. + +This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. + +If you enable this policy setting, select a drive or combination of drives in the drop-down list. + +> [!NOTE] +> This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + +If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide these specified drives in My Computer* +- GP name: *NoDrives* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoEntireNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. + +If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. + +This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box. + +To remove computers in the user's workgroup or domain from lists of network resources, use the "No Computers Near Me in Network Locations" setting. + +> [!NOTE] +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *No Entire Network in Network Locations* +- GP name: *NoEntireNetwork* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoFileMRU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the list of most recently used files from the Open dialog box. + +If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. + +This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. + +To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the dropdown list of recent files* +- GP name: *NoFileMRU* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoFileMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the File menu from My Computer and File Explorer. + +This setting does not prevent users from using other methods to perform tasks available on the File menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove File menu from File Explorer* +- GP name: *NoFileMenu* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoFolderOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer. + +Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings. + +If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options. + +If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon* +- GP name: *NoFolderOptions* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoHardwareTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Hardware tab* +- GP name: *NoHardwareTab* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoManageMyComputerVerb** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer. + +The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools. + +This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management. + +> [!TIP] +> To hide all context menus, use the "Remove File Explorer's default context menu" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hides the Manage item on the File Explorer context menu* +- GP name: *NoManageMyComputerVerb* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoMyComputerSharedDocuments** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. + +If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. + +If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. + +> [!NOTE] +> The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Shared Documents from My Computer* +- GP name: *NoMyComputerSharedDocuments* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoNetConnectDisconnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from using File Explorer or Network Locations to map or disconnect network drives. + +If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. + +This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. + +> [!NOTE] +> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. +> +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove "Map Network Drive" and "Disconnect Network Drive"* +- GP name: *NoNetConnectDisconnect* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoNewAppAlert** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:). + +If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not show the 'new application installed' notification* +- GP name: *NoNewAppAlert* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoPlacesBar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. + +To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the common dialog places bar* +- GP name: *NoPlacesBar* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoRecycleFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. + +If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. + +If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not move deleted files to the Recycle Bin* +- GP name: *NoRecycleFiles* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoRunAsInstallPrompt** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from submitting alternate logon credentials to install a program. + +This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. + +Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. + +If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. + +By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not request alternate credentials* +- GP name: *NoRunAsInstallPrompt* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoSearchInternetTryHarderButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. + +If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. + +If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the Search the Internet "Search again" link* +- GP name: *NoSearchInternetTryHarderButton* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoSecurityTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Security tab from File Explorer. + +If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. + +If you disable or do not configure this setting, users will be able to access the security tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Security tab* +- GP name: *NoSecurityTab* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoShellSearchButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. + +If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. + +This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Search button from File Explorer* +- GP name: *NoShellSearchButton* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoStrCmpLogical** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. + +If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). + +If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off numerical sorting in File Explorer* +- GP name: *NoStrCmpLogical* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoViewContextMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. + +If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove File Explorer's default context menu* +- GP name: *NoViewContextMenu* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoViewOnDrive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. + +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. + +To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. + +> [!NOTE] +> The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. +> +> Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent access to drives from My Computer* +- GP name: *NoViewOnDrive* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoWindowsHotKeys** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. + +By using this setting, you can disable these Windows Key hotkeys. + +If you enable this setting, the Windows Key hotkeys are unavailable. + +If you disable or do not configure this setting, the Windows Key hotkeys are available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Key hotkeys* +- GP name: *NoWindowsHotKeys* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoWorkgroupContents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. + +If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. + +If you disable or do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Network Locations. + +This policy setting does not prevent users from connecting to computers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box. + +To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *No Computers Near Me in Network Locations* +- GP name: *NoWorkgroupContents* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/PlacesBar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. + +The valid items you may display in the Places Bar are: + +1. Shortcuts to a local folders -- (example: `C:\Windows`) +2. Shortcuts to remote folders -- (`\\server\share`) +3. FTP folders +4. web folders +5. Common Shell folders. + +The list of Common Shell Folders that may be specified: + +Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches. + +If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Items displayed in Places Bar* +- GP name: *PlacesBar* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/PromptRunasInstallNetPath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prompts users for alternate logon credentials during network-based installations. + +This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection. + +If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media. + +The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. + +If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. + +> [!NOTE] +> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Request credentials for network installations* +- GP name: *PromptRunasInstallNetPath* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/RecycleBinSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Limits the percentage of a volume's disk space that can be used to store deleted files. + +If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. + +If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin. + +> [!NOTE] +> This setting is applied to all volumes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum allowed Recycle Bin size* +- GP name: *RecycleBinSize* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + +If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. + +If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + +If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off shell protocol protected mode* +- GP name: *ShellProtocolProtectedModeTitle_1* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + +If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. + +If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + +If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off shell protocol protected mode* +- GP name: *ShellProtocolProtectedModeTitle_2* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShowHibernateOption** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Shows or hides hibernate from the power options menu. + +If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. + +If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show hibernate in the power options menu* +- GP name: *ShowHibernateOption* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShowSleepOption** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Shows or hides sleep from the power options menu. + +If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +If you disable this policy setting, the sleep option will never be shown in the Power Options menu. + +If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show sleep in the power options menu* +- GP name: *ShowSleepOption* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/TryHarderPinnedLibrary** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file. + +You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. + +The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. + +If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. + +If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pin Libraries or Search Connectors to the "Search again" links and the Start menu* +- GP name: *TryHarderPinnedLibrary* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/TryHarderPinnedOpenSearch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}). + +You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. + +The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. + +If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. + +If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pin Internet search sites to the "Search again" links and the Start menu* +- GP name: *TryHarderPinnedOpenSearch* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md new file mode 100644 index 0000000000..7be8a731e7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -0,0 +1,409 @@ +--- +title: Policy CSP - ADMX_WindowsStore +description: Policy CSP - ADMX_WindowsStore +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/26/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsStore +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WindowsStore policies + +
+
+ ADMX_WindowsStore/DisableAutoDownloadWin8 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_1 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_2 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_1 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_2 +
+
+ + +
+ + +**ADMX_WindowsStore/DisableAutoDownloadWin8** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. + +If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. + +If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Windows Store. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Automatic Download of updates on Win8 machines* +- GP name: *DisableAutoDownloadWin8* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/DisableOSUpgrade_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows. + +If you enable this setting, the Store application will not offer updates to the latest version of Windows. + +If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the offer to update to the latest version of Windows* +- GP name: *DisableOSUpgrade_1* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/DisableOSUpgrade_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows. + +If you enable this setting, the Store application will not offer updates to the latest version of Windows. + +If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the offer to update to the latest version of Windows* +- GP name: *DisableOSUpgrade_2* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/RemoveWindowsStore_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application. + +If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. + +If you disable or don't configure this setting, access to the Store application is allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Store application* +- GP name: *RemoveWindowsStore_1* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/RemoveWindowsStore_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application. + +If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. + +If you disable or don't configure this setting, access to the Store application is allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Store application* +- GP name: *RemoveWindowsStore_2* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md new file mode 100644 index 0000000000..0ca862b038 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -0,0 +1,260 @@ +--- +title: Policy CSP - ADMX_wlansvc +description: Policy CSP - ADMX_wlansvc +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/27/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_wlansvc +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_wlansvc policies + +
+
+ ADMX_wlansvc/SetCost +
+
+ ADMX_wlansvc/SetPINEnforced +
+
+ ADMX_wlansvc/SetPINPreferred +
+
+ + +
+ + +**ADMX_wlansvc/SetCost** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. + +If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: + +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. +- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Cost* +- GP name: *IncludeCmdLine* +- GP path: *Network\WLAN Service\WLAN Media Cost* +- GP ADMX file name: *wlansvc.admx* + + + +
+ + +**ADMX_wlansvc/SetPINEnforced** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. + +Conversely it means that Push Button is NOT allowed. + +If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require PIN pairing* +- GP name: *SetPINEnforced* +- GP path: *Network\Wireless Display* +- GP ADMX file name: *wlansvc.admx* + + + +
+ + +**ADMX_wlansvc/SetPINPreferred** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. + +When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. + +If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prefer PIN pairing* +- GP name: *SetPINPreferred* +- GP path: *Network\Wireless Display* +- GP ADMX file name: *wlansvc.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 647fa545a2..7809027bc7 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -286,7 +286,7 @@ The following list shows the supported values: Allows users to turn on/off device discovery UX. -When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. +When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. Most restricted value is 0. @@ -416,7 +416,7 @@ The following list shows the supported values: -Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), then disabling the MDM unenrollment has no effect. +Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g., auto-enrolled), then disabling the MDM unenrollment has no effect. > [!NOTE] > The MDM server can always remotely delete the account. @@ -510,7 +510,7 @@ Allows or disallows all Windows sync settings on the device. For information abo The following list shows the supported values: -- 0 – Sync settings is not allowed. +- 0 – Sync settings are not allowed. - 1 (default) – Sync settings allowed. @@ -569,7 +569,8 @@ Added in Windows 10, version 1703. This policy allows you to prevent Windows fro Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. -> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it. +> [!NOTE] +> This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. @@ -1156,6 +1157,74 @@ The following list shows the supported values: + +**Experience/DisableCloudOptimizedContent** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecheck mark9
Procheck mark9
Businesscheck mark9
Enterprisecheck mark9
Educationcheck mark9
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you turn off cloud optimized content in all Windows experiences. + +If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content. + +If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content. + + + +ADMX Info: +- GP English name: *Turn off cloud optimized content* +- GP name: *DisableCloudOptimizedContent* +- GP path: *Windows Components/Cloud Content* +- GP ADMX file name: *CloudContent.admx* + + + +The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + +
@@ -1573,6 +1642,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md new file mode 100644 index 0000000000..fd1e3372e8 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -0,0 +1,131 @@ +--- +title: Policy CSP - Multitasking +description: Policy CSP - Multitasking +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/30/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - Multitasking + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## Multitasking policies + +
+
+ Multitasking/BrowserAltTabBlowout +
+
+ + +
+ + +**Multitasking/BrowserAltTabBlowout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark9
Businesscheck mark9
Enterprisecheck mark9
Educationcheck mark9
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +> [!Warning] +> This policy is currently in preview mode only and will be supported in future releases. It may be used for testing purposes, but should not be used in a production environment at this time. + +This policy controls the inclusion of Edge tabs into Alt+Tab. + +Enabling this policy restricts the number of Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Edge tabs, only the 5 most recent tabs, only the 3 most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior. + +This policy only applies to the Alt+Tab switcher. When the policy is not enabled, the feature respects the user's setting in the Settings app. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the inclusion of Edge tabs into Alt-Tab* +- GP name: *BrowserAltTabBlowout* +- GP path: *Windows Components/Multitasking* +- GP ADMX file name: *Multitasking.admx* + + + + +The following list shows the supported values: + +- 1 - Open windows and all tabs in Edge. +- 2 - Open windows and 5 most recent tabs in Edge. +- 3 - Open windows and 3 most recent tabs in Edge. +- 4 - Open windows only. + + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. + + + diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 762c801e6c..8f43acb2ab 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -78,6 +78,9 @@ If you enable this policy setting, built-in system services hosted in svchost.ex This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code. +> [!IMPORTANT] +> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software). + If you disable or do not configure this policy setting, the stricter security settings will not be applied. @@ -122,4 +125,3 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 5403dbf610..df70a21a7c 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/21/2020 +ms.date: 11/03/2020 ms.reviewer: manager: dansimp --- @@ -461,11 +461,6 @@ Enables the IT admin to manage automatic update behavior to scan, download, and Supported operations are Get and Replace. - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. - - If the policy is not configured, end-users get the default behavior (Auto install and restart). @@ -488,6 +483,11 @@ The following list shows the supported values: - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. - 5 – Turn off automatic updates. + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. + + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index df12efd32b..b6f2c4f536 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -75,6 +75,9 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. +> [!NOTE] +> There is currently a reporting issue in the Microsoft Endpoint Manager (MEM) console which results in the setting reporting back a 'Remediation failed' (0x87d1fde8) error, even when the setting is successfully applied. To verify whether the setting has applied successfully, check the local Windows 10 device: Event Viewer>Applications and Services LogsWindows>DeviceManagement-Enterprise-Diagnostics-Provider>Admin>Event ID 814. This issue is the result of the use of the CDATA tags, which are neccesary when more than a single entry is required. If there is only a single entry, the CDATA tags can be omitted - which will resolve the reporting false positive. + > [!NOTE] > `` is the entity encoding of 0xF000. @@ -84,6 +87,18 @@ For example, the following syntax grants user rights to Authenticated Users and ``` +For example, the following syntax grants user rights to two specific users from Contoso, user1 and user2: + +```xml + +``` + +For example, the following syntax grants user rights to a specific user or group, by using the Security Identifier (SID) of the account or group: + +```xml + +``` +
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 27c1aceaf0..0ed48a5776 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 06/03/2020 +ms.date: 10/28/2020 --- # Policy DDF file @@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can view various Policy DDF files by clicking the following links: +- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) - [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) - [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) - [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) @@ -32,7 +33,7 @@ You can view various Policy DDF files by clicking the following links: You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 2004. +The XML below is the DDF for Windows 10, version 20H2. ```xml @@ -8713,6 +8714,52 @@ Related policy: + + Multitasking + + + + + + + + + + + + + + + + + + + + + BrowserAltTabBlowout + + + + + + + + Configures the inclusion of Edge tabs into Alt-Tab. + + + + + + + + + + + text/plain + + + + Notifications @@ -18919,6 +18966,55 @@ Related policy: + + Multitasking + + + + + + + + + + + + + + + + + + + BrowserAltTabBlowout + + + + + 1 + Configures the inclusion of Edge tabs into Alt-Tab. + + + + + + + + + + + text/plain + + + phone + multitasking.admx + AltTabFilterDropdown + multitasking~AT~WindowsComponents~MULTITASKING + MultiTaskingAltTabFilter + LastWrite + + + Notifications @@ -29757,6 +29853,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DisableCloudOptimizedContent + + + + + + + + This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. + + + + + + + + + + + text/plain + + + DoNotShowFeedbackNotifications @@ -38353,6 +38473,60 @@ The options are: + + LocalUsersAndGroups + + + + + + + + + + + + + + + + + + + + + Configure + + + + + + + + This Setting allows an administrator to manage local groups on a Device. + Possible settings: + 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. + When using Update, existing group members that are not specified in the policy remain untouched. + 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. + When using Replace, existing group membership is replaced by the list of members specified in + the add member section. This option works in the same way as a Restricted Group and any group + members that are not specified in the policy are removed. + Caution: If the same group is configured with both Replace and Update, then Replace will win. + + + + + + + + + + + text/plain + + + + LockDown @@ -38563,6 +38737,148 @@ The options are: + + MixedReality + + + + + + + + + + + + + + + + + + + + + AADGroupMembershipCacheValidityInDays + + + + + + + + + + + + + + + + + + + text/plain + + + + + BrightnessButtonDisabled + + + + + + + + + + + + + + + + + + + text/plain + + + + + FallbackDiagnostics + + + + + + + + + + + + + + + + + + + text/plain + + + + + MicrophoneDisabled + + + + + + + + + + + + + + + + + + + text/plain + + + + + VolumeButtonDisabled + + + + + + + + + + + + + + + + + + + text/plain + + + + MSSecurityGuide @@ -47384,6 +47700,30 @@ If you disable or do not configure this policy setting, the wake setting as spec + + DisableWUfBSafeguards + + + + + + + + + + + + + + + + + + + text/plain + + + EngagedRestartDeadline @@ -48152,6 +48492,30 @@ If you disable or do not configure this policy setting, the wake setting as spec + + SetProxyBehaviorForUpdateDetection + + + + + + + + + + + + + + + + + + + text/plain + + + TargetReleaseVersion @@ -61298,6 +61662,33 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor LowestValueMostSecure + + DisableCloudOptimizedContent + + + + + 0 + This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. + + + + + + + + + + + text/plain + + + CloudContent.admx + CloudContent~AT~WindowsComponents~CloudContent + DisableCloudOptimizedContent + HighestValueMostSecure + + DoNotShowFeedbackNotifications @@ -70811,6 +71202,116 @@ The options are: + + LocalUsersAndGroups + + + + + + + + + + + + + + + + + + + Configure + + + + + + This Setting allows an administrator to manage local groups on a Device. + Possible settings: + 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. + When using Update, existing group members that are not specified in the policy remain untouched. + 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. + When using Replace, existing group membership is replaced by the list of members specified in + the add member section. This option works in the same way as a Restricted Group and any group + members that are not specified in the policy are removed. + Caution: If the same group is configured with both Replace and Update, then Replace will win. + + + + + + + + + + + text/plain + + phone + LastWrite + + + + + + + + + + + + Group Configuration Action + + + + + + + + Group Member to Add + + + + + + + + Group Member to Remove + + + + + + + + Group property to configure + + + + + + + + + + + + + + + + Local Group Configuration + + + + + + + + + LockDown @@ -71027,6 +71528,146 @@ The options are: + + MixedReality + + + + + + + + + + + + + + + + + + + AADGroupMembershipCacheValidityInDays + + + + + 0 + + + + + + + + + + + + text/plain + + + LastWrite + + + + BrightnessButtonDisabled + + + + + 0 + + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + + FallbackDiagnostics + + + + + 2 + + + + + + + + + + + + text/plain + + + LastWrite + + + + MicrophoneDisabled + + + + + 0 + + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + + VolumeButtonDisabled + + + + + 0 + + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + MSSecurityGuide @@ -80733,6 +81374,30 @@ If you disable or do not configure this policy setting, the wake setting as spec LastWrite + + DisableWUfBSafeguards + + + + + 0 + + + + + + + + + + + + text/plain + + + LastWrite + + EngagedRestartDeadline @@ -81607,6 +82272,34 @@ If you disable or do not configure this policy setting, the wake setting as spec LastWrite + + SetProxyBehaviorForUpdateDetection + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + SetProxyBehaviorForUpdateDetection + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + CorpWuURL + LastWrite + + TargetReleaseVersion diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 330dddba01..2b8f5d0334 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -239,7 +239,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -

Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +

Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.

The data type is string. Supported operation is Get and Replace. @@ -333,7 +333,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format 0 -Never timeout +Never time out 1 1 minute @@ -385,7 +385,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format 0 -Never timeout +Never time out 1 1 minute (default) @@ -437,7 +437,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format 0 -Never timeout +Never time out 1 1 minute @@ -474,6 +474,16 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

The data type is integer. Supported operation is Get and Replace. +**Properties/SleepMode** +

Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. + +

Valid values: + +- 0 - Connected Standby (default) +- 1 - Hibernate + +

The data type is integer. Supported operation is Get and Replace. + **Properties/AllowSessionResume**

Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 5f3d865cbd..0325decbfc 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -52,7 +52,7 @@ Supported operations include Get, Add, and Delete. Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId -A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. +A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. Supported operations include Get, Add, Replace, and Delete. @@ -132,7 +132,7 @@ Returns the namespace type. This value can be one of the following: Value type is chr. Supported operation is Get. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers** -List of comma separated DNS Server IP addresses to use for the namespace. +List of comma-separated DNS Server IP addresses to use for the namespace. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -202,7 +202,7 @@ Numeric value from 0-255 representing the IP protocol to allow. For example, TCP Value type is int. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges** -A list of comma separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. +A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. > [!NOTE] > Ports are only valid when the protocol is set to TCP=6 or UDP=17. @@ -210,7 +210,7 @@ A list of comma separated values specifying local port ranges to allow. For exam Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges** -A list of comma separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. +A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. > [!NOTE] > Ports are only valid when the protocol is set to TCP=6 or UDP=17. @@ -218,12 +218,12 @@ A list of comma separated values specifying remote port ranges to allow. For exa Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges** -A list of comma separated values specifying local IP address ranges to allow. +A list of comma-separated values specifying local IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges** -A list of comma separated values specifying remote IP address ranges to allow. +A list of comma-separated values specifying remote IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -241,9 +241,9 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following: - Outbound - The rule applies to all outbound traffic -- nbound - The rule applies to all inbound traffic +- Inbound - The rule applies to all inbound traffic -If no inbound filter is provided, then by default all unsolicated inbound traffic will be blocked. +If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -327,7 +327,7 @@ Valid values: - True = Register the connection's addresses in DNS. **VPNv2/**ProfileName**/DnsSuffix** -Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. +Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -345,7 +345,10 @@ Added in Windows 10, version 1607. The XML schema for provisioning all the fiel Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/Proxy** -A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. +A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected. + +> [!NOTE] +> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used. **VPNv2/**ProfileName**/Proxy/Manual** Optional node containing the manual server settings. @@ -436,7 +439,7 @@ Required for native profiles. Public or routable IP address or DNS name for the The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. -You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. +You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -1329,4 +1332,3 @@ Servers - diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 0bdc744338..bdb67e2528 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -1,6 +1,6 @@ --- title: Advanced advice for Stop error 7B, Inaccessible_Boot_Device -description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error may occur after some changes are made to the computer, +description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device. This error might occur after some changes are made to the computer, ms.prod: w10 ms.mktglfcycl: ms.sitesec: library @@ -15,27 +15,27 @@ manager: dansimp # Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device -This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. +This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error might occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. ## Causes of the Inaccessible_Boot_Device Stop error -Any one of the following factors may cause the stop error: +Any one of the following factors might cause the stop error: -* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack +* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack -* File system corruption +* File system corruption -* Changes to the storage controller mode or settings in the BIOS +* Changes to the storage controller mode or settings in the BIOS -* Using a different storage controller than the one that was used when Windows was installed +* Using a different storage controller than the one that was used when Windows was installed -* Moving the hard disk to a different computer that has a different controller +* Moving the hard disk to a different computer that has a different controller -* A faulty motherboard or storage controller, or faulty hardware +* A faulty motherboard or storage controller, or faulty hardware -* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions +* In unusual cases, the failure of the TrustedInstaller service to commit newly installed updates is because of component-based store corruptions -* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command) +* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command) ## Troubleshoot this error @@ -43,9 +43,9 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com 1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088). -2. On the **Install Windows** screen, select **Next** > **Repair your computer** . +2. On the **Install Windows** screen, select **Next** > **Repair your computer**. -3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** . +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**. ### Verify that the boot disk is connected and accessible @@ -55,7 +55,7 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com A list of the physical disks that are attached to the computer should be displayed and resemble the following display: -``` +```console Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- @@ -65,7 +65,7 @@ A list of the physical disks that are attached to the computer should be display If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk () in the **GPT* column. -If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. +If the computer uses a basic input/output system (BIOS) interface, there won't be an asterisk in the **Dyn** column. #### Step 2 @@ -73,7 +73,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm `list vol` generates an output that resembles the following display: -``` +```console Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- @@ -86,7 +86,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm ``` >[!NOTE] ->If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer. +>If the disk that contains the OS isn't listed in the output, you'll have to engage the OEM or virtualization manufacturer. ### Verify the integrity of Boot Configuration Database @@ -94,57 +94,57 @@ Check whether the Boot Configuration Database (BCD) has all the correct entries. To verify the BCD entries: -1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. +1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. - An example output if the computer is UEFI-based: + If the computer is UEFI-based, here's example output: - ``` + ```cmd device partition=\Device\HarddiskVolume2 path \EFI\Microsoft\Boot\bootmgfw.efi ``` - An example output if the machine is BIOS based: - ``` + If the machine is BIOS-based, here's example output: + ```cmd Device partition=C: ``` >[!NOTE] - >This output may not contain a path. + >This output might not contain a path. -2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. > [!NOTE] - > If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. + > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension. ![bcdedit](images/screenshot1.png) -If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** . +If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**. -After the backup is completed, run the following command to make the changes: +After the backup completes, run the following command to make the changes: 

bcdedit /set *{identifier}* option value
-For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:` +For example, if the device under {default} is wrong or missing, run this command to set it: `bcdedit /set {default} device partition=C:` - If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`. + If you want to completely re-create the BCD, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`. -If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`. +If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location, which is in the specified path in the **bcdedit** command. By default, **bootmgr** in the BIOS partition is in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`. If the files are missing, and you want to rebuild the boot files, follow these steps: -1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows: +1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, like shown here: -``` -D:\> Mkdir BootBackup -R:\> Copy *.* D:\BootBackup -``` + ```cmd + D:\> Mkdir BootBackup + R:\> Copy *.* D:\BootBackup + ``` -2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows: +2. If you're using Windows 10, or if you're troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, like shown here: ```cmd Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL ``` - For example: if we assign the `` (WinRE drive) the letter R and the `` is the letter D, this command would be the following: + For example, if we assign the `` (WinRE drive) the letter R and the `` is the letter D, the following is the command that we would use: ```cmd Bcdboot D:\windows /s R: /f ALL @@ -153,13 +153,13 @@ R:\> Copy *.* D:\BootBackup >[!NOTE] >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. -If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: +If you don't have a Windows 10 ISO, format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: -1. Start **Notepad** . +1. Start **Notepad**. 2. Press Ctrl+O. -3. Navigate to the system partition (in this example, it is R). +3. Navigate to the system partition (in this example, it's R). 4. Right-click the partition, and then format it. @@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates: Dism /Image:: /Get-packages ``` -After you run this command, you will see the **Install pending** and **Uninstall Pending** packages: +After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages: ![Dism output](images/pendingupdate.png) @@ -179,27 +179,27 @@ After you run this command, you will see the **Install pending** and **Uninstall ![Dism output](images/revertpending.png) -2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. +2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. -3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**. +3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**. 4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**. -5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive +5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive. ![Load Hive](images/loadhive.png) 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. -7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. +7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) -8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive. +8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive. 9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value. -10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on. +10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it's **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on. 11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key. @@ -207,7 +207,7 @@ After you run this command, you will see the **Install pending** and **Uninstall #### Check services -1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.) +1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after a Windows Update installation" section. (Step 11 doesn't apply to this procedure.) 2. Expand **Services**. @@ -225,9 +225,9 @@ After you run this command, you will see the **Install pending** and **Uninstall * VOLUME -If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**. +If these keys exist, check each one to make sure that it has a value that's named **Start**, and that it's set to **0**. If it's not, set the value to **0**. -If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: +If any of these keys don't exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: ```cmd cd OSdrive:\Windows\System32\config @@ -237,7 +237,7 @@ copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\c #### Check upper and lower filter drivers -Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers: +Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they don't exist on another, similar working computer. If they do exist, remove the upper and lower filter drivers: 1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**. @@ -245,8 +245,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the >[!NOTE] >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**. - - The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** : + + You might find these filter drivers in some of the following registry entries. These entries are under **ControlSet** and are designated as **Default**: \Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} @@ -258,19 +258,19 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the ![Registry](images/controlset.png) -If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value. +If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value. >[!NOTE] >There could be multiple entries. -The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry. +These entries might affect us because there might be an entry in the **Services** branch that has a START type set to 0 or 1, which means that it's loaded at the Boot or Automatic part of the boot process. Also, either the file that's referred to is missing or corrupted, or it might be named differently than what's listed in the entry. >[!NOTE] ->If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. +>If there's a service that's set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. ### Running SFC and Chkdsk - If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt: + If the computer still doesn't start, you can try to run a **chkdisk** process on the system drive, and then also run System File Checker. To do this, run the following commands at a WinRE command prompt: * `chkdsk /f /r OsDrive:` diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md index 0d4f00510a..77e524634d 100644 --- a/windows/client-management/troubleshoot-tcpip-connectivity.md +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -14,27 +14,33 @@ manager: dansimp # Troubleshoot TCP/IP connectivity -You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity. +You might come across connectivity errors on the application end or timeout errors. The following are the most common scenarios: +- Application connectivity to a database server +- SQL timeout errors +- BizTalk application timeout errors +- Remote Desktop Protocol (RDP) failures +- File share access failures +- General connectivity -When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue. +When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture that could indicate a network issue. -* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released. +* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures reliability is through the handshake process. Establishing a TCP session would begin with a three-way handshake, followed by data transfer, and then a four-way closure. The four-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. After the TIME_WAIT state completes, all the resources allocated for this connection are released. -* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. +* TCP reset is an abrupt closure of the session; it causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. * TCP reset is identified by the RESET flag in the TCP header set to `1`. -A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed. +A network trace on the source and the destination helps you to determine the flow of the traffic and see at what point the failure is observed. The following sections describe some of the scenarios when you will see a RESET. ## Packet drops -When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection). +When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up retransmitting the data and when there is no response received, it would end the session by sending an ACK RESET (this means that the application acknowledges whatever data is exchanged so far, but because of packet drop, the connection is closed). The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. -If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times. +If the initial TCP handshake is failing because of packet drops, then you would see that the TCP SYN packet is retransmitted only three times. Source side connecting on port 445: @@ -44,7 +50,7 @@ Destination side: applying the same filter, you do not see any packets. ![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) -For the rest of the data, TCP will retransmit the packets 5 times. +For the rest of the data, TCP will retransmit the packets five times. **Source 192.168.1.62 side trace:** @@ -58,16 +64,16 @@ If you are seeing that the SYN packets are reaching the destination, but the des ## Incorrect parameter in the TCP header -You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. +You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being replayed by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. -In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators. +In this case, you'll again need help from the network team to identify any device that's modifying packets or replaying packets to the destination. The most common ones are RiverBed devices or WAN accelerators. ## Application side reset When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset. -The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. +The application resets are the ones where you see the Acknowledgment flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source. @@ -83,7 +89,7 @@ You also see an ACK+RST flag packet in a case when the TCP establishment packet ![Screenshot of packet flag](images/tcp-ts-11.png) -The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. +The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. >[!Note] >The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet @@ -96,7 +102,7 @@ The application which is causing the reset (identified by port numbers) should b ``` -During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet. +During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. To understand whether the local firewall is dropping the packet, enable the firewall auditing on the machine. ``` auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable @@ -106,6 +112,6 @@ You can then review the Security event logs to see for a packet drop on a partic ![Screenshot of Event Properties](images/tcp-ts-12.png) -Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection. +Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection. ![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index cd8da63e37..d4e6253873 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -20,7 +20,7 @@ manager: dansimp Cortana will respond with the information from Bing. -:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: +:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderabad"::: >[!NOTE] >This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index ea2a557e39..662747f3a4 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 51eeccc08b..ff85a3537a 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -1,6 +1,6 @@ --- title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10) -description: Environments that use Windows Management Instrumentation (WMI)can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: manager: dansimp @@ -22,9 +22,9 @@ ms.topic: article - Windows 10 Pro, Enterprise, and Education -Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. +Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). -Here’s an example to set AssignedAccess configuration: +Here's an example to set AssignedAccess configuration: 1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). 2. Run `psexec.exe -i -s cmd.exe`. diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index f09e5ee991..c0eb573c32 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. +Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml @@ -309,7 +309,7 @@ This sample demonstrates that only a global profile is used, no active user conf ``` -Below sample shows dedicated profile and global profile mixed usage, aauser would use one profile, everyone else that's non-admin will use another profile. +Below sample shows dedicated profile and global profile mixed usage, a user would use one profile, everyone else that's non-admin will use another profile. ```xml @@ -889,7 +889,7 @@ Schema for Windows 10 Insider Preview (19H2, 20H1 builds) ``` -To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature which is added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the autolaunch feature that was added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml [!NOTE] >You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p). @@ -179,17 +180,17 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded **Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply. -**Resolution**: This issue was resolved in the June 2017 updates. Please update Windows 10, version 1607 to the latest cumulative or feature updates. +**Resolution**: This issue was resolved in the June 2017 updates. Update Windows 10, version 1607, to the latest cumulative or feature updates. >[!NOTE] >When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**. -### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start Menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted +### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted ![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png) -**Cause**: This is a known issue where the first-time logon experience is not detected and does not trigger the install of some Apps. +**Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps. **Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334) @@ -202,17 +203,17 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded - Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. - When editing the xml file, it should be saved in UTF-8 format. -- Unexpected information: This occurs when possibly trying to add a tile via unexpected or undocumented method. +- Unexpected information: This occurs when possibly trying to add a tile via an unexpected or undocumented method. - **Event ID: 64** is logged when the xml is valid but has unexpected values. - For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema. XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy -### Symptom: Start menu no longer works after a PC is refreshed using F12 during start up +### Symptom: Start menu no longer works after a PC is refreshed using F12 during startup -**Description**: If a user is having problems with a PC, is can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at start up. Refreshing the PC finishes, but Start Menu is not accessible. +**Description**: If a user is having problems with a PC, it can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at startup. Refreshing the PC finishes, but Start Menu is not accessible. -**Cause**: This is a known issue and has been resolved in a cumulative update released August 30th 2018. +**Cause**: This issue is known and was resolved in a cumulative update released August 30, 2018. **Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142). @@ -232,7 +233,7 @@ Specifically, behaviors include - Applications (apps or icons) pinned to the start menu are missing. - Entire tile window disappears. - The start button fails to respond. -- If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing. +- If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing. ![Example of a working layout](images/start-ts-3.png) @@ -261,12 +262,12 @@ After the upgrade the user pinned tiles are missing: ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png) -Additionally, users may see blank tiles if logon was attempted without network connectivity. +Additionally, users may see blank tiles if sign-in was attempted without network connectivity. ![Example of blank tiles](images/start-ts-7.png) -**Resolution**: This is fixed in [October 2017 update](https://support.microsoft.com/en-us/help/4041676). +**Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676). ### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown @@ -278,13 +279,13 @@ Additionally, users may see blank tiles if logon was attempted without network c ### Symptom: Start Menu issues with Tile Data Layer corruption -**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update)). +**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).) **Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed. -1. The App or Apps work fine when you click on the tiles. +1. The App or Apps work fine when you select the tiles. 2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information. -3. The app is missing, but listed as installed via Powershell and works if you launch via URI. +3. The app is missing, but listed as installed via PowerShell and works if you launch via URI. - Example: `windows-feedback://` 4. In some cases, Start can be blank, and Action Center and Cortana do not launch. @@ -301,9 +302,9 @@ Although a reboot is not required, it may help clear up any residual issues afte ### Symptoms: Start Menu and Apps cannot start after upgrade to Windows 10 version 1809 when Symantec Endpoint Protection is installed -**Description** Start Menu, Search and Apps do not start after you upgrade a Windows 7-based computer that has Symantec Endpoint Protection installed to Windows 10 version 1809. +**Description**: Start menu, Search, and Apps do not start after you upgrade a computer running Windows 7 that has Symantec Endpoint Protection installed to Windows 10 version 1809. -**Cause** This occurs because of a failure to load sysfer.dll. During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules. +**Cause**: This problem occurs because of a failure to load sysfer.dll. During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules. **Resolution** This issue was fixed by the Windows Cumulative Update that were released on December 5, 2018—KB4469342 (OS Build 17763.168). @@ -321,7 +322,7 @@ If you have already encountered this issue, use one of the following two options 4. Confirm that **All Application Packages** group is missing. -5. Click **Edit**, and then click **Add** to add the group. +5. Select **Edit**, and then select **Add** to add the group. 6. Test Start and other Apps. diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index e665d37ba5..a6c45ca8c1 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -32,7 +32,6 @@ IT pros can configure access to Microsoft Store for client computers in their or ## Options to configure access to Microsoft Store - You can use these tools to configure access to Microsoft Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition. ## Block Microsoft Store using AppLocker @@ -64,6 +63,20 @@ For more information on AppLocker, see [What is AppLocker?](/windows/device-secu 8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. +## Block Microsoft Store using configuration service provider + +Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education + +If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs): + +- [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) +- [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) + +For more information, see [Configure an MDM provider](https://docs.microsoft.com/microsoft-store/configure-mdm-provider-microsoft-store-for-business). + +For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements). + + ## Block Microsoft Store using Group Policy @@ -87,12 +100,12 @@ You can also use Group Policy to manage access to Microsoft Store. > [!Important] > Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store. -## Block Microsoft Store using management tool +## Block Microsoft Store on Windows 10 Mobile Applies to: Windows 10 Mobile -If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Microsoft Store app. +If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 CSPs with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Microsoft Store app. When your MDM tool supports Microsoft Store for Business, the MDM can use these CSPs to block Microsoft Store app: diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 375f826703..f953320ab4 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -24,7 +24,7 @@ As an administrator of User Experience Virtualization (UE-V), you can restore ap ## Restore Settings in UE-V when a User Adopts a New Device -To restore settings when a user adopts a new device, you can put a settings location template in **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To backup settings for a template, use the following cmdlet in Windows PowerShell: +To restore settings when a user adopts a new device, you can put a settings location template in a **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This setup lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To back up settings for a template, use the following cmdlet in Windows PowerShell: ```powershell Set-UevTemplateProfile -ID -Profile @@ -50,7 +50,7 @@ As part of the Backup/Restore feature, UE-V added **last known good (LKG)** to t ### How to Backup/Restore Templates with UE-V -These are the key backup and restore components of UE-V: +Here are the key backup and restore components of UE-V: - Template profiles @@ -74,7 +74,7 @@ All templates are included in the roaming profile when registered unless otherwi Templates can be added to the Backup Profile with PowerShell or WMI using the Set-UevTemplateProfile cmdlet. Templates in the Backup Profile back up these settings to the Settings Storage Location in a special Device name directory. Specified settings are backed up to this location. -Templates designated BackupOnly include settings specific to that device that should not be synchronized unless explicitly restored. These settings are stored in the same device-specific settings package location on the settings storage location as the Backedup Settings. These templates have a special identifier embedded in the template that specifies they should be part of this profile. +Templates designated BackupOnly include settings specific to that device that shouldn't be synchronized unless explicitly restored. These settings are stored in the same device-specific settings package location on the settings storage location as the Backedup Settings. These templates have a special identifier embedded in the template that specifies they should be part of this profile. **Settings packages location within the Settings Storage Location template** @@ -90,10 +90,10 @@ Restoring a user’s device restores the currently registered Template’s setti - **Automatic restore** - If the user’s UE-V settings storage path, domain, and Computer name match the current user then all of the settings for that user are synchronized, with only the latest settings applied. If a user logs on to a new device for the first time and these criteria are met, the settings data is applied to that device. + If the user’s UE-V settings storage path, domain, and Computer name match the current user then all of the settings for that user are synchronized, with only the latest settings applied. If a user signs in to a new device for the first time and these criteria are met, the settings data is applied to that device. **Note** - Accessibility and Windows Desktop settings require the user to re-logon to Windows to be applied. + Accessibility and Windows Desktop settings require the user to sign in again to Windows to be applied. @@ -104,7 +104,7 @@ Restoring a user’s device restores the currently registered Template’s setti ## Restore Application and Windows Settings to Original State -WMI and Windows PowerShell commands let you restore application and Windows settings to the settings values that were on the computer the first time that the application started after the UE-V service was enabled. This restoring action is performed on a per-application or Windows settings basis. The settings are restored the next time that the application runs, or the settings are restored when the user logs on to the operating system. +WMI and Windows PowerShell commands let you restore application and Windows settings to the settings values that were on the computer the first time that the application started after the UE-V service was enabled. This restoring action is performed on a per-application or Windows settings basis. The settings are restored the next time that the application runs, or the settings are restored when the user signs in to the operating system. **To restore application settings and Windows settings with Windows PowerShell for UE-V** diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index 663afd38eb..7c5805ff7d 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -37,7 +37,7 @@ Administrators can still define which user-customized application settings can s ### Upgrading from UE-V 1.0 to the in-box version of UE-V is blocked -Version 1.0 of UE-V used Offline Files (Client Side Caching) for settings synchronization and pinned the UE-V sync folder to be available when the network was offline, however, this technology was removed in UE-V 2.x. As a result, UE-V 1.0 users are blocked from upgrading to UE-V for Windows 10, version 1607. +Version 1.0 of UE-V used Offline Files (Client-Side Caching) for settings synchronization and pinned the UE-V sync folder to be available when the network was offline, however, this technology was removed in UE-V 2.x. As a result, UE-V 1.0 users are blocked from upgrading to UE-V for Windows 10, version 1607. WORKAROUND: Remove the UE-V 1.0 sync folder from the Offline Files configuration and then upgrade to the in-box version of UE-V for Windows, version 1607 release. @@ -55,13 +55,13 @@ WORKAROUND: To resolve this problem, run the application by selecting one of the ### Unpredictable results when both Office 2010 and Office 2013 are installed on the same device -When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be quite large or result in unpredictable conflicts with 2013, particularly if Office 365 is used. +When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be large or result in unpredictable conflicts with 2013, particularly if Office 365 is used. WORKAROUND: Install only one version of Office or limit which settings are synchronized by UE-V. -### Uninstall and re-install of Windows 8 applications reverts settings to initial state +### Uninstallation and reinstallation of Windows 8 applications reverts settings to initial state -While using UE-V settings synchronization for a Windows 8 application, if the user uninstalls the application and then reinstalls the application, the application’s settings revert to their default values. This happens because the uninstall removes the local (cached) copy of the application’s settings but does not remove the local UE-V settings package. When the application is reinstalled and launched, UE-V gather the application settings that were reset to the application defaults and then uploads the default settings to the central storage location. Other computers running the application then download the default settings. This behavior is identical to the behavior of desktop applications. +While using UE-V settings synchronization for a Windows 8 application, if the user uninstalls the application and then reinstalls the application, the application’s settings revert to their default values. This result happens because the uninstall removes the local (cached) copy of the application’s settings but does not remove the local UE-V settings package. When the application is reinstalled and launched, UE-V gathers the application settings that were reset to the application defaults and then uploads the default settings to the central storage location. Other computers running the application then download the default settings. This behavior is identical to the behavior of desktop applications. WORKAROUND: None. @@ -85,7 +85,7 @@ WORKAROUND: Use folder redirection or some other technology to ensure that any f ### Long Settings Storage Paths could cause an error -Keep settings storage paths as short as possible. Long paths could prevent resolution or synchronization. UE-V uses the Settings storage path as part of the calculated path to store settings. That path is calculated in the following way: settings storage path + “settingspackages” + package dir (template ID) + package name (template ID) + .pkgx. If that calculated path exceeds 260 characters, package storage will fail and generate the following error message in the UE-V operational event log: +Keep settings storage paths as short as possible. Long paths could prevent resolution or synchronization. UE-V uses the Settings storage path as part of the calculated path to store settings. That path is calculated in the following way: settings storage path + "settingspackages" + package dir (template ID) + package name (template ID) + .pkgx. If that calculated path exceeds 260 characters, package storage will fail and generate the following error message in the UE-V operational event log: \[boost::filesystem::copy\_file: The system cannot find the path specified\] @@ -95,7 +95,7 @@ WORKAROUND: None. ### Some operating system settings only roam between like operating system versions -Operating system settings for Narrator and currency characters specific to the locale (i.e. language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8. +Operating system settings for Narrator and currency characters specific to the locale (that is, language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8. WORKAROUND: None diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index 6a6265ee5a..d39c37513b 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -45,7 +45,7 @@ Specifies the settings you can configure when joining a device to a domain, incl | --- | --- | --- | | Account | string | Account to use to join computer to domain | | AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account | -| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIAL% characters in the name.

ComputerName is a string with a maximum length of 15 bytes of content:

- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.

- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.

- ComputerName cannot use some non-standard characters, such as emoji.

Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](https://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) | +| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer that includes fewer than 15 digits, or using %SERIAL% characters in the name.

ComputerName is a string with a maximum length of 15 bytes of content:

- ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.

- ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.

- ComputerName cannot use some non-standard characters, such as emoji.

Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](https://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) | | DomainName | string (cannot be empty) | Specify the name of the domain that the device will join | | Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | @@ -56,6 +56,6 @@ Use these settings to add local user accounts to the device. | Setting | Value | Description | | --- | --- | --- | | UserName | string (cannot be empty) | Specify a name for the local user account | -| HomeDir | string (cannot be ampty) | Specify the path of the home directory for the user | +| HomeDir | string (cannot be empty) | Specify the path of the home directory for the user | | Password | string (cannot be empty) | Specify the password for the user account | | UserGroup | string (cannot be empty) | Specify the local user group for the user | diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index d50b2c93ed..c8d1a683fb 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -27,7 +27,7 @@ Use for settings related to Maps. ## ChinaVariantWin10 -Use **ChinaVariantWin10** to specify that the Windows device is intended to ship in China. When set to **True**, maps approved by the State Bureau of Surveying and Mapping in China are used, which are obtained from a server located in China. +Use **ChinaVariantWin10** to specify that the Windows device is intended to ship in China. When set to **True**, maps approved by the State Bureau of Surveying and Mapping in China are used. These maps are obtained from a server located in China. This customization may result in different maps, servers, or other configuration changes on the device. @@ -38,7 +38,7 @@ Use to store map data on an SD card. Map data is used by the Maps application and the map control for third-party applications. This data can be store on an SD card, which provides the advantage of saving internal memory space for user data and allows the user to download more offline map data. Microsoft recommends enabling the **UseExternalStorage** setting on devices that have less than 8 GB of user storage and an SD card slot. -You can use **UseExternalStorage** whether or not you include an SD card with preloaded map data on the phone. If set to **True**, the OS only allows the user to download offline maps when an SD card is present. If an SD card is not present, users can still view and cache maps, but they will not be able to download a region of offline maps until an SD card is inserted. +You can use **UseExternalStorage** whether or not you include an SD card with preloaded map data on the phone. If set to **True**, the OS only allows the user to download offline maps when an SD card is present. If no SD card is present, users can view and cache maps, but they can't download a region of offline maps until an SD card is inserted. If set to **False**, map data will always be stored on the internal data partition of the device. @@ -47,4 +47,4 @@ If set to **False**, map data will always be stored on the internal data partiti ## UseSmallerCache -Do not use. +Don't use this setting. diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index c452d22dbc..2bd33a11a5 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -27,20 +27,20 @@ Use to configure settings to personalize a PC. ## DeployDesktopImage -Deploy a jpg, jpeg or png image to the device to be used as desktop image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [DesktopImageUrl](#desktopimageurl). +Deploy a .jpg, .jpeg, or .png image to the device to be used as a desktop image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [DesktopImageUrl](#desktopimageurl). When using **DeployDesktopImage** and [DeployLockScreenImageFile](#deploylockscreenimage, the file names need to be different. ## DeployLockScreenImage -Deploy a jpg, jpeg or png image to the device to be used as lock screen image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [LockScreenImageUrl](#lockscreenimageurl). +Deploy a .jpg, .jpeg, or .png image to the device to be used as lock screen image. If you have a local file and want to embed it into the package being deployed, you configure this setting and [LockScreenImageUrl](#lockscreenimageurl). When using [DeployDesktopImage](#deploydesktopimage) and **DeployLockScreenImageFile**, the file names need to be different. ## DesktopImageUrl -Specify a jpg, jpeg or png image to be used as desktop image. This setting can take a http or https url to a remote image to be downloaded or a file url to a local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployDesktopImage](#deploydesktopimage). +Specify a .jpg, .jpeg, or .png image to be used as desktop image. This setting can take an HTTP or HTTPS URL to a remote image to be downloaded or a file URL to a local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployDesktopImage](#deploydesktopimage). ## LockScreenImageUrl -Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded or a file Url to an existing local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployLockScreenImage](#deploylockscreenimage). +Specify a .jpg, .jpeg, or .png image to be used as Lock Screen Image. This setting can take an HTTP or HTTPS URL to a remote image to be downloaded or a file URL to an existing local image. If you have a local file and want to embed it into the package being deployed, you also set [DeployLockScreenImage](#deploylockscreenimage). diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index 68f85b8215..4a6d000511 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -1,6 +1,6 @@ --- title: Add Microsoft Store for Business applications to a Windows 10 image -description: This topic describes how to add Microsoft Store for Business applications to a Windows 10 image. +description: This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. keywords: upgrade, update, windows, windows 10, deploy, store, image, wim ms.prod: w10 ms.mktglfcycl: deploy @@ -13,6 +13,7 @@ ms.author: greglin ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Add Microsoft Store for Business applications to a Windows 10 image diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 834b94f381..fcbd35b410 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -13,6 +13,7 @@ ms.reviewer: manager: laurawi ms.author: greglin ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Configure a PXE server to load Windows PE @@ -21,8 +22,6 @@ ms.topic: article - Windows 10 -## Summary - This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network. ## Prerequisites diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index c28a60db3e..b541debb81 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -14,6 +14,7 @@ audience: itpro author: greg-lindsay ms.topic: article ms.collection: M365-modern-desktop +ms.custom: seo-marvel-apr2020 --- # Deploy Windows 10 with Microsoft 365 diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 519ec80cf3..f73558bd91 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -13,6 +13,7 @@ ms.pagetype: deploy audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # What's new in Windows 10 deployment @@ -83,7 +84,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. -- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. +- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. - **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 1fd47c5505..5d44f0af26 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -1,5 +1,5 @@ --- -title: Add a Windows 10 operating system image using Configuration Manager (Windows 10) +title: Add a Windows 10 operating system image using Configuration Manager description: Operating system images are typically the production image used for deployment throughout the organization. ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b ms.reviewer: @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Add a Windows 10 operating system image using Configuration Manager diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index e8896d30de..85dcbc3828 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -1,5 +1,5 @@ --- -title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10) +title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers. ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c ms.reviewer: @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager @@ -51,10 +52,10 @@ On **CM01**: 6. In the popup window that appears, click **Yes** to automatically update the distribution point. 7. Click **Next**, wait for the image to be updated, and then click **Close**. - ![Add drivers to Windows PE](../images/fig21-add-drivers1.png "Add drivers to Windows PE")
- ![Add drivers to Windows PE](../images/fig21-add-drivers2.png "Add drivers to Windows PE")
- ![Add drivers to Windows PE](../images/fig21-add-drivers3.png "Add drivers to Windows PE")
- ![Add drivers to Windows PE](../images/fig21-add-drivers4.png "Add drivers to Windows PE") + ![Add drivers to Windows PE step 1](../images/fig21-add-drivers1.png)
+ ![Add drivers to Windows PE step 2](../images/fig21-add-drivers2.png)
+ ![Add drivers to Windows PE step 3](../images/fig21-add-drivers3.png)
+ ![Add drivers to Windows PE step 4](../images/fig21-add-drivers4.png) Add drivers to Windows PE @@ -64,7 +65,7 @@ This section illustrates how to add drivers for Windows 10 using the HP EliteBoo For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. -![Drivers](../images/cm01-drivers-windows.png) +![Drivers in Windows](../images/cm01-drivers-windows.png) Driver folder structure on CM01 diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 5ff94676d8..e4d235f852 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) -description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. +description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Endpoint Configuration Manager. ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 ms.reviewer: manager: laurawi @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Create a custom Windows PE boot image with Configuration Manager @@ -71,8 +72,8 @@ On **CM01**: 8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. 9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: - ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus1.png "Content status for the Zero Touch WinPE x64 boot image")
- ![Content status for the Zero Touch WinPE x64 boot image](../images/fig16-contentstatus2.png "Content status for the Zero Touch WinPE x64 boot image") + ![Content status for the Zero Touch WinPE x64 boot image step 1](../images/fig16-contentstatus1.png)
+ ![Content status for the Zero Touch WinPE x64 boot image step 2](../images/fig16-contentstatus2.png) Content status for the Zero Touch WinPE x64 boot image @@ -81,8 +82,8 @@ On **CM01**: 12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**. 13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below: - ![PS100009-1](../images/ps100009-1.png)
- ![PS100009-2](../images/ps100009-2.png) + ![PS100009 step 1](../images/ps100009-1.png)
+ ![PS100009 step 2](../images/ps100009-2.png) >Note: Depending on your infrastructure and the number of packages and boot images present, the Image ID might be a different number than PS100009. diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index b3c301d048..87bed1dd16 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Finalize operating system configuration for Windows 10 deployment -description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment. +description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment. ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e ms.reviewer: manager: laurawi @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Finalize the operating system configuration for Windows 10 deployment with Configuration Manager diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index ca87d2d6b3..4dd8344c5b 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -1,5 +1,5 @@ --- -title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10) +title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit. ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 ms.reviewer: @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager @@ -240,7 +241,7 @@ On **CM01**: 2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**. 3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share. -![figure 12](../images/mdt-06-fig12.png) +![figure 11](../images/mdt-06-fig12.png) Test the connection for the Network Access account. diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 24ea36579b..7ff3078c04 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,5 +1,5 @@ --- -title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) +title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10. ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 ms.reviewer: @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager @@ -57,9 +58,9 @@ On **PC0003**: 1. Open the Configuration Manager control panel (control smscfgrc). 2. On the **Site** tab, click **Configure Settings**, then click **Find Site**. -3. Verify that Configuration Manager has successfullyl found a site to manage this client is displayed. See the following example. +3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example. -![pc0003a](../images/pc0003a.png) +![Found a site to manage this client](../images/pc0003a.png) ## Create a device collection and add the PC0003 computer @@ -123,16 +124,16 @@ On **PC0003**: 2. In the **Software Center** warning dialog box, click **Install Operating System**. 3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples: -![pc0003b](../images/pc0003b.png)
-![pc0003c](../images/pc0003c.png)
-![pc0003d](../images/pc0003d.png)
-![pc0003e](../images/pc0003e.png)
-![pc0003f](../images/pc0003f.png)
-![pc0003g](../images/pc0003g.png)
-![pc0003h](../images/pc0003h.png)
-![pc0003i](../images/pc0003i.png)
-![pc0003j](../images/pc0003j.png)
-![pc0003k](../images/pc0003k.png) +![Task sequence example 1](../images/pc0003b.png)
+![Task sequence example 2](../images/pc0003c.png)
+![Task sequence example 3](../images/pc0003d.png)
+![Task sequence example 4](../images/pc0003e.png)
+![Task sequence example 5](../images/pc0003f.png)
+![Task sequence example 6](../images/pc0003g.png)
+![Task sequence example 7](../images/pc0003h.png)
+![Task sequence example 8](../images/pc0003i.png)
+![Task sequence example 9](../images/pc0003j.png)
+![Task sequence example 10](../images/pc0003k.png) Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index b2ef8ff138..4c98f861cf 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,5 +1,5 @@ --- -title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) +title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 ms.reviewer: @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager @@ -159,7 +160,7 @@ On **PC0004**: 4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. 5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes. -![pc0004b](../images/pc0004b.png) +![Task sequence example](../images/pc0004b.png) Capturing the user state @@ -190,15 +191,15 @@ On **PC0006**: When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: -![pc0006a](../images/pc0006a.png)
-![pc0006b](../images/pc0006b.png)
-![pc0006c](../images/pc0006c.png)
-![pc0006d](../images/pc0006d.png)
-![pc0006e](../images/pc0006e.png)
-![pc0006f](../images/pc0006f.png)
-![pc0006g](../images/pc0006g.png)
-![pc0006h](../images/pc0006h.png)
-![pc0006i](../images/pc0006i.png) +![User data and setting restored example 1](../images/pc0006a.png)
+![User data and setting restored example 2](../images/pc0006b.png)
+![User data and setting restored example 3](../images/pc0006c.png)
+![User data and setting restored example 4](../images/pc0006d.png)
+![User data and setting restored example 5](../images/pc0006e.png)
+![User data and setting restored example 6](../images/pc0006f.png)
+![User data and setting restored example 7](../images/pc0006g.png)
+![User data and setting restored example 8](../images/pc0006h.png)
+![User data and setting restored example 9](../images/pc0006i.png) Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md). diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md index 553be3b239..46a0b5ee09 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md @@ -1,6 +1,6 @@ --- title: Perform in-place upgrade to Windows 10 via Configuration Manager -description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence. +description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Configuration Manager task sequence. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 ms.reviewer: manager: laurawi @@ -12,6 +12,7 @@ ms.mktglfcycl: deploy audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Perform an in-place upgrade to Windows 10 using Configuration Manager @@ -126,13 +127,13 @@ On **PC0004**: 4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. 5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples: -![pc0004-a](../images/pc0004-a.png)
-![pc0004-b](../images/pc0004-b.png)
-![pc0004-c](../images/pc0004-c.png)
-![pc0004-d](../images/pc0004-d.png)
-![pc0004-e](../images/pc0004-e.png)
-![pc0004-f](../images/pc0004-f.png)
-![pc0004-g](../images/pc0004-g.png) +![Upgrade task sequence example 1](../images/pc0004-a.png)
+![Upgrade task sequence example 2](../images/pc0004-b.png)
+![Upgrade task sequence example 3](../images/pc0004-c.png)
+![Upgrade task sequence example 4](../images/pc0004-d.png)
+![Upgrade task sequence example 5](../images/pc0004-e.png)
+![Upgrade task sequence example 6](../images/pc0004-f.png)
+![Upgrade task sequence example 7](../images/pc0004-g.png) In-place upgrade with Configuration Manager diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index 1f16c8febd..84daf20005 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -1,6 +1,7 @@ --- title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) -description: Learn how to replace a Windows 7 device with a Windows 10 device. Although the process is similar to performing a refresh, you'll need to backup data externally +description: In this article, you will learn how to replace a Windows 7 device with a Windows 10 device. +ms.custom: seo-marvel-apr2020 ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a ms.reviewer: manager: laurawi diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 4872285d93..231b73680a 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -4,7 +4,7 @@ ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 ms.reviewer: manager: laurawi ms.author: greglin -description: +description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. keywords: disk, encryption, TPM, configure, secure, script ms.prod: w10 ms.mktglfcycl: deploy @@ -14,6 +14,7 @@ ms.pagetype: mdt audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-mar2020 --- # Set up MDT for BitLocker diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index e0be07468b..90d0dc48d1 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -14,6 +14,7 @@ ms.sitesec: library ms.pagetype: mobility audience: itpro ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Deploy Windows To Go in your organization @@ -113,7 +114,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase. + #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. # # To skip the confirmation prompt, append –confirm:$False Clear-Disk –InputObject $Disk[0] -RemoveData @@ -161,7 +162,7 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: ``` ~~~ -5. Apply SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: +5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: ``` @@ -291,7 +292,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i - A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer -- A Windows To Go drive that hasn’t been booted or joined to the domain using unattend settings. +- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings. - A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer @@ -319,7 +320,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase. + #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. # # To skip the confirmation prompt, append –confirm:$False Clear-Disk –InputObject $Disk[0] -RemoveData @@ -414,7 +415,7 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind >[!NOTE] >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. -You should now be able to access your organization’s network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. +You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. ### Enable BitLocker protection for your Windows To Go drive @@ -467,7 +468,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } - #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase. + #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase. # # To skip the confirmation prompt, append –confirm:$False Clear-Disk –InputObject $Disk[0] -RemoveData @@ -576,17 +577,17 @@ The sample script creates an unattend file that streamlines the deployment proce * To run this sample script you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts. -* Using offline domain join is required by this script, since the script does not create a local administrator user account. However, domain membership will automatically put “Domain admins” into the local administrators group. Review your domain policies. If you are using DirectAccess you will need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters. +* Using offline domain join is required by this script, since the script does not create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you are using DirectAccess you will need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters. * The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters. #### To run the advanced deployment sample script -1. Copy entire the code sample titled “Windows To Go multiple drive provisioning sample script” into a PowerShell script (.ps1) file. +1. Copy entire the code sample titled "Windows To Go multiple drive provisioning sample script" into a PowerShell script (.ps1) file. 2. Make the modifications necessary for it to be appropriate to your deployment and save the file. -3. Configure the PowerShell execution policy. By default PowerShell’s execution policy is set to Restricted; that means that scripts won’t run until you have explicitly given them permission to. To configure PowerShell’s execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: +3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt: ``` Set-ExecutionPolicy RemoteSigned diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 5afc9307e1..ecf21c9ffc 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -13,6 +13,7 @@ ms.sitesec: library ms.localizationpriority: medium audience: itpro ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Deploy Windows 10 diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index d90a888be9..bc71e70299 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -35,6 +35,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 94f57a06d9..4551b08e4a 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -15,6 +15,7 @@ manager: laurawi ms.audience: itpro ms.localizationpriority: medium ms.topic: article +ms.custom: seo-marvel-apr2020 --- # MBR2GPT.EXE @@ -22,8 +23,6 @@ ms.topic: article **Applies to** - Windows 10 -## Summary - **MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. >MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index afbb20379c..30dcd0de23 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -4,7 +4,7 @@ ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76 ms.reviewer: manager: laurawi ms.author: greglin -description: +description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows. ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: appcompat @@ -12,6 +12,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-mar2020 --- # Compatibility Administrator User's Guide diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 162ad2c153..18f52b5803 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -4,7 +4,7 @@ ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c ms.reviewer: manager: laurawi ms.author: greglin -description: +description: Learn about deploying your compatibility fixes as part of an application-installation package or through a centralized compatibility-fix database. ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: appcompat @@ -13,6 +13,7 @@ audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article +ms.custom: seo-marvel-mar2020 --- # Compatibility Fix Database Management Strategies and Deployment @@ -88,7 +89,7 @@ This approach tends to work best for organizations that have a well-developed de ### Merging Centralized Compatibility-Fix Databases -If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process. +If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process. **To merge your custom-compatibility databases** @@ -113,7 +114,7 @@ If you decide to use the centralized compatibility-fix database deployment strat Deploying your custom compatibility-fix database into your organization requires you to perform the following actions: -1. Store your custom compatibility-fix database (.sdb file) in a location that is accessible to all of your organization’s computers. +1. Store your custom compatibility-fix database (.sdb file) in a location that is accessible to all of your organization's computers. 2. Use the Sdbinst.exe command-line tool to install the custom compatibility-fix database locally. @@ -124,7 +125,7 @@ In order to meet the two requirements above, we recommend that you use one of th You can package your .sdb file and a custom deployment script into an .msi file, and then deploy the .msi file into your organization. > [!IMPORTANT] - > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: + > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: >`msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)` diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index aa63171e92..504dc52a3c 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -1,5 +1,5 @@ --- -title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10) +title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff ms.reviewer: @@ -13,6 +13,7 @@ audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista @@ -75,7 +76,7 @@ The following table lists the known compatibility fixes for all Windows operatin

BIOSRead

-

This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.

+

This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.

The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..

@@ -92,7 +93,7 @@ The following table lists the known compatibility fixes for all Windows operatin

ChangeFolderPathToXPStyle

This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.

-

The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.

+

The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.

ClearLastErrorStatusonIntializeCriticalSection

@@ -188,7 +189,7 @@ The following table lists the known compatibility fixes for all Windows operatin

DirectXVersionLie

-

This problem occurs when an application fails because it does not find the correct version number for DirectX®.

+

This problem occurs when an application fails because it does not find the correct version number for DirectX®.

The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.

You can control this fix further by typing the following command at the command prompt:

MAJORVERSION.MINORVERSION.LETTER

@@ -456,7 +457,7 @@ The following table lists the known compatibility fixes for all Windows operatin

IgnoreMSOXMLMF

The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.

-

The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.

+

The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.

IgnoreSetROP2

diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 13c1aa16fd..1c9e4706d1 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Deployment considerations for Windows To Go @@ -51,7 +52,7 @@ When a Windows To Go workspace is first used at the workplace, the Windows To Go ![initial boot off-premises](images/wtg-first-boot-home.gif) -When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee’s home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized. +When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized. > [!TIP] > Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076). diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index 565b9b6833..6b42e09fe7 100644 --- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -1,5 +1,5 @@ --- -title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10) +title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6 ms.reviewer: @@ -12,6 +12,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Enabling and Disabling Compatibility Fixes in Compatibility Administrator diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index 0f635b9f80..9469d47cb7 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -10,6 +10,7 @@ author: greg-lindsay manager: laurawi ms.author: greglin ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Windows 10 features lifecycle @@ -21,7 +22,7 @@ Each release of Windows 10 contains many new and improved features. Occasionally The following topic lists features that are no longer being developed. These features might be removed in a future release. -[Windows 10 features we’re no longer developing](windows-10-deprecated-features.md) +[Windows 10 features we're no longer developing](windows-10-deprecated-features.md) ## Features removed diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index c896c72fde..8ab327afb4 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -13,6 +13,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Prepare your organization for Windows To Go @@ -25,7 +26,7 @@ ms.topic: article > [!IMPORTANT] > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. -The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. +The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the "what", "why", and "when" questions an IT professional might have when planning to deploy Windows To Go. ## What is Windows To Go? @@ -51,16 +52,16 @@ The following scenarios are examples of situations in which Windows To Go worksp - **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes. -- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker’s personal computer. +- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer. - **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer. -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. +- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. > [!NOTE] -> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace’s computer object is not potentially deleted from Active Directory Domain Services (AD DS). +> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object is not potentially deleted from Active Directory Domain Services (AD DS). @@ -76,7 +77,7 @@ Windows To Go uses volume activation. You can use either Active Directory-based Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922). -You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace. +You should investigate other software manufacturer's licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace. > [!NOTE] > Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive. @@ -102,7 +103,7 @@ If you configure Windows To Go drives for scenarios where drives may remain unus ## User account and data management -People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user’s profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). +People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace. diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 56143ee843..2d34aa8326 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -1,6 +1,7 @@ --- title: SUA User's Guide (Windows 10) -description: Standard User Analyzer (SUA) can test your apps and monitor API calls to detect compatibility issues related to Windows' User Account Control (UAC) feature. +description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature. +ms.custom: seo-marvel-apr2020 ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 ms.reviewer: manager: laurawi @@ -67,4 +68,3 @@ You can use SUA in either of the following ways: - diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 18d1d96008..fa4f088b49 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -28,7 +28,6 @@ The features described below are no longer being actively developed, and might b | ----------- | --------------------- | ---- | | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | -| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 427f15beab..edeeaeec27 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -10,6 +10,7 @@ author: greg-lindsay ms.author: greglin manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Features and functionality removed in Windows 10 @@ -44,7 +45,7 @@ The following features and functionalities have been removed from the installed |Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 | |Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 | |People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 | -|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 | +|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 | |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 | |XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 2a8889f1ab..f0c41844f7 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -49,13 +49,13 @@ The following list identifies some commonly asked questions about Windows To Go. - [How do I make my computer boot from USB?](#wtf-faq-startup) -- [Why isn’t my computer booting from USB?](#wtg-faq-noboot) +- [Why isn't my computer booting from USB?](#wtg-faq-noboot) - [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise) - [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker) -- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail) +- [Why can't I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail) - [What power states does Windows To Go support?](#wtg-faq-power) @@ -63,11 +63,11 @@ The following list identifies some commonly asked questions about Windows To Go. - [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump) -- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot) +- [Do "Windows To Go Startup Options" work with dual boot computers?](#wtg-faq-dualboot) -- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart) +- [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#wtg-faq-diskpart) -- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4) +- [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4) - [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr) @@ -95,17 +95,17 @@ The following list identifies some commonly asked questions about Windows To Go. - [How is Windows To Go licensed?](#wtg-faq-lic) -- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery) +- [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery) -- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos) +- [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos) - [Why does the operating system on the host computer matter?](#wtg-faq-oldos2) - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey) -- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat) +- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat) -- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict) +- [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#bkmk-roamconflict) - [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg) @@ -188,7 +188,7 @@ In the **Windows To Go Startup Options** dialog box select **Yes** and then clic If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. -To do this, early during boot time (usually when you see the manufacturer’s logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer’s site to be sure if you do not know which key to use to enter firmware setup.) +To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.) After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. @@ -201,14 +201,14 @@ Configuring a computer to boot from USB will cause your computer to attempt to b -## Why isn’t my computer booting from USB? +## Why isn't my computer booting from USB? Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation: 1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device. -2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don’t support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. +2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. 3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port. @@ -229,7 +229,7 @@ You should never remove your Windows To Go drive when your workspace is running. Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. -## Why can’t I enable BitLocker from Windows To Go Creator? +## Why can't I enable BitLocker from Windows To Go Creator? Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. @@ -265,27 +265,27 @@ When a Windows To Go workspace is hibernated, it will only successfully resume o Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0. -## Do “Windows To Go Startup Options” work with dual boot computers? +## Do "Windows To Go Startup Options" work with dual boot computers? -Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. +Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. -## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not? +## I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not? -Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. +Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. **Warning**   It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. -## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not? +## I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not? -Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. +Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. **Warning**   It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. @@ -340,7 +340,7 @@ If you are using a USB 3.0 port and a Windows To Go certified device, there shou ## If I lose my Windows To Go drive, will my data be safe? -Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. +Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. ## Can I boot Windows To Go on a Mac? @@ -361,12 +361,12 @@ For more information, see the MSDN article on the [Win32\_OperatingSystem class] Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC. -## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive? +## Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive? No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. -## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista? +## Why won't Windows To Go work on a computer running Windows XP or Windows Vista? Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. @@ -374,7 +374,7 @@ Actually it might. If you have purchased a computer certified for Windows 7 or ## Why does the operating system on the host computer matter? -It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. +It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. ## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? @@ -406,10 +406,10 @@ The host computer will now be able to be booted from a USB drive without trigger -## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it? +## I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it? -Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: +Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: 1. Open a command prompt with full administrator permissions. @@ -424,14 +424,14 @@ Reformatting the drive erases the data on the drive, but doesn’t reconfigure t 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. -## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go? +## Why do I keep on getting the message "Installing devices…" when I boot Windows To Go? One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. -In certain cases, third party drivers for different hardware models or versions can reuse device ID’s, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID’s, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. +In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. -This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. +This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. ## How do I upgrade the operating system on my Windows To Go drive? diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 37b3315a1d..ea76222dde 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -14,6 +14,7 @@ author: greg-lindsay ms.author: greglin audience: itpro ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Windows 10 in S mode - What is it? @@ -57,4 +58,4 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) - [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) - [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) -- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md index 8f73fcdfd0..4a6d9ab0f1 100644 --- a/windows/deployment/update/PSFxWhitepaper.md +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -12,6 +12,7 @@ ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Windows Updates using forward and reverse differentials @@ -37,8 +38,6 @@ The following general terms apply throughout this document: - *Revision*: Minor releases in between the major version releases, such as KB4464330 (Windows 10 Build 17763.55) - *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that contain full binaries or files -## Introduction - In this paper, we introduce a new technique that can produce compact software updates optimized for any origin/destination revision pair. It does this by calculating forward the differential of a changed file from the base version and diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 97f6eb21e1..4a1087d274 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,7 +1,8 @@ --- title: Introduction to the Windows Insider Program for Business -description: Introduction to the Windows Insider Program for Business and why IT Pros should join +description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join. keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight +ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: manage audience: itpro diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md index a23c157317..d8206d5491 100644 --- a/windows/deployment/update/feature-update-conclusion.md +++ b/windows/deployment/update/feature-update-conclusion.md @@ -12,6 +12,7 @@ ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Conclusion diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 2df56fa684..c586284056 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -11,6 +11,7 @@ ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Deploy feature updates during maintenance windows @@ -33,7 +34,7 @@ Use the following information to deploy feature updates during a maintenance win ### Step 2: Review computer restart device settings -If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. +If you're not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. @@ -50,7 +51,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc ### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) -If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. +If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index 69b91b9184..a36563477b 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -12,13 +12,14 @@ ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices **Applies to**: Windows 10 -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service). diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 254703b4dc..70dcc6a516 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -12,6 +12,7 @@ ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Deploy feature updates for user-initiated installations (during a fixed service window) @@ -29,7 +30,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc ### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later) -If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. +If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index d125672d4a..98579c7905 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,9 +1,8 @@ --- -title: Windows 10 - How to make FoD and language packs available when you're using WSUS or Configuration Manager -description: Learn how to make FoD and language packs available when you're using WSUS or Configuration Manager +title: Make FoD and language packs available for WSUS/Configuration Manager +description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage - ms.pagetype: article ms.author: jaimeo audience: itpro @@ -13,6 +12,7 @@ ms.date: 03/13/2019 ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager @@ -20,11 +20,11 @@ ms.topic: article As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS. -The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it’s important to note this policy only allows specifying one alternate location and behaves differently across OS versions. +The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions. In Windows 10 version 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired. -In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It’s currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location. +In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location. For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index e427a2f861..6bab8477a5 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,6 +1,6 @@ --- title: How Windows Update works -description: Learn how Windows Update works, including architecture and troubleshooting. +description: In this article, learn about the process Windows Update uses to download and install updates on a Windows 10 devices. ms.prod: w10 ms.mktglfcycl: audience: itpro @@ -12,6 +12,7 @@ ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # How does Windows Update work? @@ -45,7 +46,7 @@ The Windows Update workflow has four core areas of functionality: ## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn't disrupt your computer usage. ## Scanning updates ![Windows Update scanning step](images/update-scan-step.png) @@ -127,7 +128,7 @@ Common update failure is caused due to network issues. To find the root of the i Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. -To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. +To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization technology which downloads updates and reduces bandwidth consumption. For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 232fb2748c..8997b5e4f9 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -11,6 +11,7 @@ author: jaimeo ms.reviewer: manager: laurawi keywords: insider, trial, enterprise, lab, corporation, test +ms.custom: seo-marvel-apr2020 --- # Olympia Corp @@ -21,7 +22,7 @@ Windows Insider Lab for Enterprise is intended for Windows Insiders who want to As an Olympia user, you will have an opportunity to: -- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). - Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. - Validate and test pre-release software in your environment. - Provide feedback. @@ -60,7 +61,7 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi 3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - ![Set up a work or school account](images/1-3.png) + ![Entering account information when setting up a work or school account](images/1-3.png) 4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. @@ -96,10 +97,10 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi ![Settings -> Accounts](images/1-1.png) 2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - + 3. Click **Connect**, then click **Join this device to Azure Active Directory**. - ![Update your password](images/2-3.png) + ![Joining device to Azure AD]](images/2-3.png) 4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. @@ -110,7 +111,7 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi > [!NOTE] > Passwords should contain 8-16 characters, including at least one special character or number. - ![Update your password](images/2-5.png) + ![Entering temporary password](images/2-5.png) 6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md index 53b1f289ec..19c0a83aa5 100644 --- a/windows/deployment/update/prepare-deploy-windows.md +++ b/windows/deployment/update/prepare-deploy-windows.md @@ -41,13 +41,13 @@ Your infrastructure probably includes many different components and tools. You You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example: -- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security related configurations. +- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security-related configurations. - Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to. However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example: -1. Review new security settings. Your security team will review the new security settings, to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment. +1. Review new security settings. Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment. 2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant. @@ -98,7 +98,24 @@ You can check these services manually by using Services.msc, or by using PowerSh ### Network configuration -Ensure that devices can reach necessary Windows Update endpoints through the firewall. +Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints: + + +|Protocol |Endpoint URL | +|---------|---------| +|TLS 1.2 | `*.prod.do.dsp.mp.microsoft.com` | +|HTTP | `emdl.ws.microsoft.com` | +|HTTP | `*.dl.delivery.mp.microsoft.com` | +|HTTP | `*.windowsupdate.com` | +|HTTPS | `*.delivery.mp.microsoft.com` | +|TLS 1.2 | `*.update.microsoft.com` | +|TLS 1.2 | `tsfe.trafficshaping.dsp.mp.microsoft.com` | + +> [!NOTE] +> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail. + +The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby. + ### Optimize download bandwidth Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network sharing or Microsoft Connected Cache. diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index e5a1395289..e2b6404d14 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -1,6 +1,6 @@ --- title: Servicing stack updates (Windows 10) -description: Servicing stack updates improve the code that installs the other updates. +description: In this article, learn how servicing stack updates improve the code that installs the other updates. ms.prod: w10 ms.mktglfcycl: manage audience: itpro @@ -12,6 +12,7 @@ ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Servicing stack updates diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 1fa0437e08..b56a569d4c 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -13,6 +13,7 @@ keywords: oms, operations management suite, optimization, downloads, updates, lo ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Delivery Optimization in Update Compliance @@ -41,5 +42,5 @@ The table breaks down the number of bytes from each download source into specifi The download sources that could be included are: - LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network -- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used) +- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used) - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 4cc53cea88..12924ab50f 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -12,6 +12,7 @@ author: jaimeo ms.author: jaimeo ms.collection: M365-analytics ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Feature Update Status diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 58bd854855..14008cd234 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -13,6 +13,7 @@ ms.author: jaimeo ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Monitor Windows Updates with Update Compliance diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index 3032c95790..6a441b08d7 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -1,7 +1,7 @@ --- title: Update Compliance - Need Attention! report manager: laurawi -description: Learn how the Needs attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. +description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. ms.mktglfcycl: deploy ms.pagetype: deploy audience: itpro diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 5396a3f77c..085e47d153 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -10,6 +10,7 @@ author: jaimeo ms.author: jaimeo ms.collection: M365-analytics ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Security Update Status diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index d9207fdefb..92ae610fc5 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -2,7 +2,7 @@ title: Using Update Compliance (Windows 10) ms.reviewer: manager: laurawi -description: Learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. +description: Learn how to use Update Compliance to monitor your device's Windows updates. keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -13,6 +13,7 @@ ms.author: jaimeo ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Use Update Compliance diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 6bb0bf7519..f85076eabc 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -1,6 +1,6 @@ --- title: Configure BranchCache for Windows 10 updates (Windows 10) -description: Use BranchCache to optimize network bandwidth during update deployment. +description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -9,6 +9,7 @@ ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Configure BranchCache for Windows 10 updates @@ -20,7 +21,7 @@ ms.topic: article > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. @@ -33,7 +34,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode ## Configure clients for BranchCache -Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx). +Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter's Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx). In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode. diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index b101477546..d65d59a04d 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -2,17 +2,17 @@ title: Delivery Optimization reference ms.reviewer: manager: laurawi -description: Reference of all Delivery Optimization settings and descriptions of same +description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings. keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy - audience: itpro author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Delivery Optimization reference @@ -111,7 +111,7 @@ Download mode dictates which download sources clients are allowed to use when do | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | +| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | @@ -156,7 +156,7 @@ This setting specifies the required minimum disk size (capacity in GB) for the d ### Max Cache Age -In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). +In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). ### Max Cache Size @@ -188,7 +188,7 @@ This setting specifies the maximum download bandwidth that Delivery Optimization ### Max Upload Bandwidth -This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. +This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. ### Set Business Hours to Limit Background Download Bandwidth Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. @@ -247,9 +247,9 @@ This policy allows you to specify how your client(s) can discover Delivery Optim - 1 = DHCP Option 235. - 2 = DHCP Option 235 Force. -with either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. +With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. -Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. You can add one or more value either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas. > [!NOTE] > If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 9cc82a5183..6e19c5ba6a 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -2,7 +2,7 @@ title: Set up Delivery Optimization ms.reviewer: manager: laurawi -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 +description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10. keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -12,6 +12,7 @@ ms.localizationpriority: medium ms.author: jaimeo ms.collection: M365-modern-desktop ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Set up Delivery Optimization for Windows 10 updates @@ -50,7 +51,7 @@ Quick-reference table: ### Hybrid WAN scenario -For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. +For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter. @@ -103,7 +104,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** ## Monitor Delivery Optimization -[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) +[//]: # (How to tell if it's working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) ### Windows PowerShell cmdlets diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index d6edc9cf57..a50997dbcc 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,7 +1,7 @@ --- title: Delivery Optimization for Windows 10 updates manager: laurawi -description: Delivery Optimization is a peer-to-peer distribution method in Windows 10 +description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10. keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy @@ -13,6 +13,7 @@ ms.collection: - M365-modern-desktop - m365initiative-coredeploy ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Delivery Optimization for Windows 10 updates @@ -120,7 +121,7 @@ For complete list of every possible Delivery Optimization setting, see [Delivery ## How Microsoft uses Delivery Optimization -At Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. +At Microsoft, to help ensure that ongoing deployments weren't affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. @@ -188,7 +189,7 @@ This section summarizes common problems and some solutions to try. ### If you don't see any bytes from peers -If you don’t see any bytes coming from peers the cause might be one of the following issues: +If you don't see any bytes coming from peers the cause might be one of the following issues: - Clients aren’t able to reach the Delivery Optimization cloud services. - The cloud service doesn’t see other peers on the network. diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 95321b1013..d1f41bc2bd 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -2,13 +2,14 @@ title: Windows Update for Business (Windows 10) ms.reviewer: manager: laurawi -description: Windows Update for Business lets you manage when devices received updates from Windows Update. +description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.topic: article +ms.custom: seo-marvel-apr2020 --- # What is Windows Update for Business? @@ -187,16 +188,16 @@ The branch readiness level enables administrators to specify which channel of fe - Windows Insider Release Preview - Semi-annual Channel for released updates -Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release's Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. ### Recommendations For the best experience with Windows Update, follow these guidelines: -- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. -- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. -- Make sure that devices have at least 10 GB of free space. -- Give devices unobstructed access to the Windows Update service. +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. ## Monitor Windows Updates by using Update Compliance diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index 377895abf7..0617e20b00 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -1,5 +1,6 @@ --- title: Windows as a service news & resources +description: The latest news for Windows as a service with resources to help you learn more about them. ms.prod: w10 ms.topic: article ms.manager: elizapo @@ -17,8 +18,8 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
  • Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization - June 25, 2019
  • Updating Windows 10, version 1903 using Configuration Manager or WSUS - May 23, 2019
    • -
  • What’s new in Windows Update for Business in Windows 10, version 1903 - May 21, 2019
    • -
  • What’s new for IT pros in Windows 10, version 1903 - May 21, 2019
    • +
  • What's new in Windows Update for Business in Windows 10, version 1903 - May 21, 2019
    • +
  • What's new for IT pros in Windows 10, version 1903 - May 21, 2019
  • How to get the Windows 10 May 2019 Update - May 21, 2019
  • The benefits of Windows 10 Dynamic Update - April 17, 2019
  • Improving the Windows 10 update experience with control, quality and transparency - April 4, 2019
    • diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 0031ab8ee0..4f59f66eec 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -3,13 +3,14 @@ title: Manage device restarts after updates (Windows 10) description: Use Group Policy settings, mobile device management (MDM) or Registry to configure when devices will restart after a Windows 10 update is installed. ms.prod: w10 ms.mktglfcycl: deploy - author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article +ms.custom: +- seo-marvel-apr2020 --- # Manage device restarts after updates diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 703e8f93bf..24625947f6 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -3,13 +3,14 @@ title: Assign devices to servicing channels for Windows 10 updates (Windows 10) description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM . ms.prod: w10 ms.mktglfcycl: deploy - author: jaimeo ms.localizationpriority: medium ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article +ms.custom: +- seo-marvel-apr2020 --- # Assign devices to servicing channels for Windows 10 updates diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 81e33643c9..e185b2eb5a 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -2,7 +2,7 @@ title: Servicing differences between Windows 10 and older operating systems ms.reviewer: manager: laurawi -description: Learn the differences between servicing Windows 10 and servicing older operating systems. +description: In this article, learn the differences between servicing Windows 10 and servicing older operating systems. keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage @@ -12,6 +12,7 @@ ms.audience: itpro author: jaimeo ms.topic: article ms.collection: M365-modern-desktop +ms.custom: seo-marvel-apr2020 --- # Understanding the differences between servicing Windows 10-era and legacy Windows operating systems @@ -31,7 +32,7 @@ Prior to Windows 10, all updates to operating system (OS) components were publis As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. -This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time. +This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you've seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time. ## Windows 10 – Next generation Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation. @@ -64,12 +65,12 @@ While Windows 10 updates could have been controlled as cumulative from "Day 1," Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems. -The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10. +The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month's Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10. ![Legacy OS security-only update model](images/security-only-update.png) *Figure 2.0 - Legacy OS security-only update model* -Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously. +Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft's test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously. ### Points to consider - Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. @@ -83,7 +84,7 @@ Moving to the cumulative model for legacy OS versions continues to improve predi - For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. ## Public preview releases -Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program. +Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month's B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month's B release package together with new security updates. Security-only Packages are not part of the C/D preview program. > [!NOTE] > Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10. @@ -102,9 +103,9 @@ All of these updates are cumulative and build on each other for Windows 10. This *Figure 3.0 - Preview releases within the Windows 10 LCU model* ## Previews vs. on-demand releases -In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases. +In 2018, we experienced incidents which required urgent remediation that didn't map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases. -As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.) +As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month's Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.) ### Point to consider - When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot. diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 323e565a06..9e013f0b94 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -1,6 +1,6 @@ --- title: Manage additional Windows Update settings (Windows 10) -description: Additional settings to control the behavior of Windows Update (WU) in Windows 10 +description: In this article, learn about additional settings to control the behavior of Windows Update in Windows 10. ms.prod: w10 ms.mktglfcycl: deploy audience: itpro @@ -10,6 +10,7 @@ author: jaimeo ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Manage additional Windows Update settings @@ -61,7 +62,7 @@ This setting lets you specify a server on your network to function as an interna To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. -If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them. +If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them. If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service. @@ -86,9 +87,9 @@ If the setting is set to **Enabled**, Windows will check for available updates a If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours. >[!NOTE] ->The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect. +>The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. > ->If the “Configure Automatic Updates” policy is disabled, this policy has no effect. +>If the "Configure Automatic Updates" policy is disabled, this policy has no effect. To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency). @@ -116,7 +117,7 @@ If the setting is set to **Disabled** or **Not Configured**, no target group inf If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified. >[!NOTE] ->This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect. +>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect. ### Allow signed updates from an intranet Microsoft update service location @@ -124,7 +125,7 @@ This policy setting allows you to manage whether Automatic Updates accepts updat To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**. -If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer. +If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. >[!NOTE] diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 92ee39c436..412541f1fd 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -1,6 +1,6 @@ --- title: Walkthrough use Intune to configure Windows Update for Business (Windows 10) -description: Configure Windows Update for Business settings using Microsoft Intune. +description: In this article, learn how to configure Windows Update for Business settings using Microsoft Intune. ms.prod: w10 ms.mktglfcycl: manage audience: itpro @@ -29,7 +29,7 @@ author: jaimeo > >In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. +You can use Intune to configure Windows Update for Business even if you don't have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build. @@ -42,7 +42,7 @@ To use Intune to manage quality and feature updates in your environment, you mus In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md). -- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. +- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they're released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices. - The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release. >[!NOTE] @@ -69,9 +69,9 @@ In this example, you use two security groups to manage your updates: **Ring 4 Br >[!NOTE] >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - ![Settings for this policy](images/waas-wufb-intune-step7a.png) + ![Settings for the RequireDeferUpgrade policy](images/waas-wufb-intune-step7a.png) -8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**. +8. For this deployment ring, you're required to enable only CBB, so click **Save Policy**. 9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. @@ -156,7 +156,7 @@ In this example, you use three security groups from Table 1 in [Build deployment >[!NOTE] >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - ![Settings for this policy](images/waas-wufb-intune-cb2a.png) + ![Settings for the BranchReadinessLevel policy](images/waas-wufb-intune-cb2a.png) 8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. @@ -164,7 +164,7 @@ In this example, you use three security groups from Table 1 in [Build deployment 10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. 11. In the **Value** box, type **28**, and then click **OK**. - ![Settings for this policy](images/waas-wufb-intune-step11a.png) + ![Settings for the DeferFeatureUpdatesPeriodInDays policy step 11](images/waas-wufb-intune-step11a.png) 9. Click **Save Policy**. @@ -175,7 +175,7 @@ In this example, you use three security groups from Table 1 in [Build deployment 10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**. -You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available. +You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they're available. ### Configure Ring 4 Broad business users policy @@ -205,7 +205,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e 11. In the **Value** box, type **0**, and then click **OK**. - ![Settings for this policy](images/waas-wufb-intune-cbb1a.png) + ![Settings for the DeferFeatureUpdatesPeriodInDays policy for broad business](images/waas-wufb-intune-cbb1a.png) 12. Click **Save Policy**. @@ -216,7 +216,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e 14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. -You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. +You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they're available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. ### Configure Ring 5 Broad business users \#2 policy @@ -255,7 +255,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r 15. In the **Value** box, type **14**, and then click **OK**. - ![Settings for this policy](images/waas-wufb-intune-cbb2a.png) + ![Settings for the DeferFeatureUpdatesPeriodInDays policy](images/waas-wufb-intune-cbb2a.png) 16. Click **Save Policy**. diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index 471073ea8f..fa6a49c1a0 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -12,6 +12,7 @@ ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Windows Update error codes by component diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index e3d4342c33..11dff0bce0 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -1,6 +1,6 @@ --- title: Windows Update common errors and mitigation -description: Learn about some common issues you might experience with Windows Update +description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them. ms.prod: w10 ms.mktglfcycl: audience: itpro @@ -11,6 +11,7 @@ ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Windows Update common errors and mitigation diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 68d6b72b20..1e40aac62e 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -11,6 +11,7 @@ ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Windows Update log files @@ -28,7 +29,7 @@ The following table describes the log files created by Windows Update. |CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| ## Generating WindowsUpdate.log -To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). +To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru). >[!NOTE] >When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. @@ -64,7 +65,7 @@ The WU engine has different component names. The following are some of the most - IdleTimer - Tracking active calls, stopping a service >[!NOTE] ->Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. +>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important. ### Windows Update log structure The Windows update log structure is separated into four main identities: @@ -112,7 +113,7 @@ Search for and identify the components that are associated with the IDs. Differe #### Update identifiers ##### Update ID and revision number -There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. +There are different identifiers for the same update in different contexts. It's important to know the identifier schemes. - Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time - Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service - Revision numbers are reused from one update to another (not a unique identifier). @@ -121,8 +122,8 @@ There are different identifiers for the same update in different contexts. It’ ##### Revision ID -- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. -- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- A Revision ID (do no confuse this with "revision number") is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. - Revision IDs are unique on a given update source, but not across multiple sources. - The same update revision may have completely different revision IDs on WU and WSUS. - The same revision ID may represent different updates on WU and WSUS. @@ -131,7 +132,7 @@ There are different identifiers for the same update in different contexts. It’ - Local ID is a serial number issued when an update is received from a service by a given WU client - Usually seen in debug logs, especially involving the local cache for update info (Datastore) - Different client PCs will assign different Local IDs to the same update -- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file +- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file ##### Inconsistent terminology - Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index d96f16274f..9706a55a92 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -27,6 +27,7 @@ Use the following information to get started with Windows Update: - Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) - Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) - Review [other resources](windows-update-resources.md) to help you use Windows Update +- Review [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) section of Microsoft Blogs. ## Unified Update Platform (UUP) architecture To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 81138d6e5b..32a55ed102 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -10,6 +10,7 @@ author: jaimeo ms.reviewer: manager: laurawi ms.topic: article +ms.custom: seo-marvel-apr2020 --- # Windows Update troubleshooting @@ -20,7 +21,7 @@ If you run into problems when using Windows Update, start with the following ste 1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. -2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on servicing stack updates. 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: @@ -40,8 +41,8 @@ Advanced users can also refer to the [log](windows-update-logs.md) generated by You might encounter the following scenarios when using Windows Update. -## Why am I offered an older update/upgrade? -The update that is offered to a device depends on several factors. Some of the most common attributes include the following: +## Why am I offered an older update? +The update that is offered to a device depends on several factors. The following are some of the most common attributes: - OS Build - OS Branch @@ -49,20 +50,20 @@ The update that is offered to a device depends on several factors. Some of the m - OS Architecture - Device update management configuration -If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. +If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a deployment group, that your admin is intentionally slowing the rollout of updates. Since the deployment is slow and measured to begin with, all devices will not receive the update on the same day. ## My device is frozen at scan. Why? -The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +The Settings UI communicates with the Update Orchestrator service which in turn communicates with to Windows Update service. If these services stop unexpectedly, then you might see this behavior. In such cases, follow these steps: 1. Close the Settings app and reopen it. -2. Launch Services.msc and check if the following services are running: +2. Start Services.msc and check if the following services are running: - Update State Orchestrator - Windows Update ## Feature updates are not being offered while other updates are -Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business scenarios) are able to install servicing and definition updates but are never offered feature updates. +Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business) are able to install servicing and definition updates but are never offered feature updates. Checking the WindowsUpdate.log reveals the following error: ```console @@ -94,12 +95,12 @@ The 0x80070426 error code translates to: ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. ``` -Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. +Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on MSA to get the global device ID for the device. Without the MSA service running, the global device ID won't be generated and sent by the client and the search for feature updates never completes successfully. -In order to solve this issue, we need to reset the MSA service to the default StartType of manual. +To resolve this issue, reset the MSA service to the default StartType of "manual." ## Issues related to HTTP/Proxy -Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Therefore proxy servers on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. To fix this issue, configure a proxy in WinHTTP by using the following netsh command: @@ -112,14 +113,13 @@ netsh winhttp set proxy ProxyServerName:PortNumber If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. -You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: +You might choose to apply a rule to permit HTTP RANGE requests for the following URLs: -*.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com -*.delivery.mp.microsoft.com -*.emdl.ws.microsoft.com +`*.download.windowsupdate.com` +`*.dl.delivery.mp.microsoft.com` +`*.delivery.mp.microsoft.com` -If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). +If you can't allow RANGE requests, you'll be downloading more content than needed in updates (as delta patching will not work). ## The update is not applicable to your computer @@ -127,13 +127,13 @@ The most common reasons for this error are described in the following table: |Cause|Explanation|Resolution| |-----|-----------|----------| -|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you might receive this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | |Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| |Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
    Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | -|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
    Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
    get-hotfix KB3173424,KB2919355,KB2919442
    If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
    To determine if these prerequisite updates are installed, run the following PowerShell command:
    `get-hotfix KB3173424,KB2919355, KB2919442`.
    If the updates are installed, the command will return the installed date in the `InstalledOn` section of the output. ## Issues related to firewall configuration -Error that may be seen in the WU logs: +Error that you might see in Windows Update logs: ```console DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. ``` @@ -149,33 +149,34 @@ DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). ## Issues arising from configuration of conflicting policies -Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. +Windows Update provides a wide range configuration policy to control the behavior of the Windows Update service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting policies may lead to unexpected behaviors. See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. ## Device cannot access update files -Check that your device can access these Windows Update endpoints: -- `http://windowsupdate.microsoft.com` -- `http://*.windowsupdate.microsoft.com` -- `https://*.windowsupdate.microsoft.com` -- `http://*.update.microsoft.com` -- `https://*.update.microsoft.com` -- `http://*.windowsupdate.com` -- `http://download.windowsupdate.com` -- `https://download.microsoft.com` -- `http://*.download.windowsupdate.com` -- `http://wustat.windows.com` -- `http://ntservicepack.microsoft.com` -- `https://*.prod.do.dsp.mp.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` -- `https://*.delivery.mp.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - - Allow these endpoints for future use. +Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints: + + +|Protocol |Endpoint URL | +|---------|---------| +|TLS 1.2 | `*.prod.do.dsp.mp.microsoft.com` | +|HTTP | `emdl.ws.microsoft.com` | +|HTTP | `*.dl.delivery.mp.microsoft.com` | +|HTTP | `*.windowsupdate.com` | +|HTTPS | `*.delivery.mp.microsoft.com` | +|TLS 1.2 | `*.update.microsoft.com` | +|TLS 1.2 | `tsfe.trafficshaping.dsp.mp.microsoft.com` | + +> [!NOTE] +> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail. + +The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby. + ## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: + 1. Start Windows PowerShell as an administrator. 2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". 3. Run \$MUSM.Services. @@ -191,14 +192,14 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can |- Name: Windows Update
    - OffersWindowsUpdates: True|- The source is Windows Update.
    - The client is configured to receive updates from Windows Update Online.| ## You have a bad setup in the environment -If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: +In this example, per the Group Policy set through registry, the system is configured to use WSUS to download updates (note the second line): ```console HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +"UseWUServer"=dword:00000001 ``` -From the WU logs: +From Windows Update logs: ```console 2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] 2018-08-06 09:33:31:085 480 1118 Agent ********* @@ -214,7 +215,7 @@ From the WU logs: In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. You're expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won’t happen with this configuration. ```console 2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index 0c8f5c32db..041169807e 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -1,12 +1,13 @@ --- title: Configure the Basic group policy for Windows Update for Business -description: Learn how to get started using the Basic GPO in Windows Update for Business. +description: In this article, you will learn how to configure the basic group policy for Windows Update for Business. +ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: manage audience: itpro itproauthor: jaimeo author: jaimeo -ms.localizationprioauthor: jaimeo +ms.localizationpriority: medium ms.audience: itpro ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 67b6e07ec0..1fb426d25f 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -1,6 +1,7 @@ --- title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10) -description: Learn how to enforce compliance deadlines using Windows Update for Business. +description: This article contains information on how to enforce compliance deadlines using Windows Update for Business. +ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -151,17 +152,17 @@ Before the deadline the device will be in two states: auto-restart period and en Notification users get for quality update engaged deadline: -![The notification users get for an impending engaged quality update deadline](images/wufb-quality-engaged-notification.png) +![The notification users get for an impending engaged quality update deadline example](images/wufb-quality-engaged-notification.png) Notification users get for a quality update deadline: -![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) +![The notification users get for an impending quality update deadline example](images/wufb-quality-notification.png) Notification users get for a feature update engaged deadline: -![The notification users get for an impending feature update engaged deadline](images/wufb-feature-update-engaged-notification.png) +![The notification users get for an impending feature update engaged deadline example](images/wufb-feature-update-engaged-notification.png) Notification users get for a feature update deadline: -![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) +![The notification users get for an impending feature update deadline example](images/wufb-feature-update-deadline-notification.png) diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md index de44721666..78f9b0cf84 100644 --- a/windows/deployment/update/wufb-onboard.md +++ b/windows/deployment/update/wufb-onboard.md @@ -1,6 +1,6 @@ --- title: Onboarding to Windows Update for Business (Windows 10) -description: Get started using Windows Update for Business, a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. +description: Get started using Windows Update for Business, a tool that enables IT pros and power users to manage content they want to receive from Windows Update. ms.prod: w10 ms.mktglfcycl: manage audience: itpro diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index a4c6a01688..1968dd1929 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -1,10 +1,11 @@ --- -title: Log files - Windows IT Pro +title: Log files and resolving upgrade errors ms.reviewer: manager: laurawi ms.author: greglin -description: Learn how to interpret the log files generated during the Windows 10 upgrade process. +description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process. keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 445b6d5c18..bf49c56323 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -5,6 +5,7 @@ manager: laurawi ms.author: greglin description: Learn how to quickly resolve many problems, which may come up during a Windows 10 upgrade. keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index bca001f87a..6abb0eac36 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -5,6 +5,7 @@ manager: laurawi ms.author: greglin description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors. keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose +ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -552,7 +553,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f ## Sample registry key -![Addreg](./../images/addreg.png) +![Example of Addreg](./../images/addreg.png) ## Related topics diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index b248875782..730dd44759 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -16,7 +16,7 @@ ms.topic: article # Getting Started with the User State Migration Tool (USMT) This topic outlines the general process that you should follow to migrate files and settings. -## In this Topic +## In this topic - [Step 1: Plan Your Migration](#step-1-plan-your-migration) - [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer) @@ -48,7 +48,7 @@ This topic outlines the general process that you should follow to migrate files ## Step 2: Collect files and settings from the source computer 1. Back up the source computer. -2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. +2. Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft® Office Outlook® is open, USMT might not migrate PST files. **Note**   USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **<ErrorControl>** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail. @@ -68,7 +68,7 @@ This topic outlines the general process that you should follow to migrate files 2. Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved. **Note**   - The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. + The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft® Office, which USMT can migrate from an older version to a newer version. 3. Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files. diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 9e83bf7287..d029f8d029 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -17,7 +17,7 @@ ms.topic: article # Offline Migration Reference -Offline migration enables the ScanState tool to run inside a different Windows® operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios: +Offline migration enables the ScanState tool to run inside a different Windows® operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios: - **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine. @@ -31,7 +31,7 @@ When you use User State Migration Tool (USMT) 10.0 to gather and restore user s - **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE. -## In This Topic +## In This topic - [What Will Migrate Offline?](#bkmk-whatwillmigrate) @@ -61,7 +61,7 @@ The following user data and settings migrate offline, similar to an online migra - EFS files -- Internet Explorer® Favorites +- Internet Explorer® Favorites For exceptions to what you can migrate offline, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) @@ -192,7 +192,7 @@ The following system environment variables are necessary in the scenarios outlin

    MIG_OFFLINE_PLATFORM_ARCH

    32 or 64

    -

    While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:

    +

    While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:

    Set MIG_OFFLINE_PLATFORM_ARCH=32
    @@ -219,7 +219,7 @@ Syntax: < winDir > </ winDir > ### <path> -This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory. +This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool's working directory. Syntax: <path> c:\\windows </path> @@ -235,7 +235,7 @@ Syntax: <mappings> </mappings> ### <failOnMultipleWinDir> -This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn’t present, the default behavior is that the migration does not fail. +This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn't present, the default behavior is that the migration does not fail. Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: <failOnMultipleWinDir>0</failOnMultipleWinDir> diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index eebb4c23d3..1a5ba3389e 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -21,7 +21,7 @@ You can modify the behavior of a basic User State Migration Tool (USMT)10.0 migr This topic provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. The MigDocs.xml file uses the new **GenerateDocPatterns** function available in USMT to automatically find user documents on a source computer. -## In This Topic +## In This topic [Overview of the Config.xml file](#bkmk-config) @@ -435,7 +435,7 @@ In the examples below, the source computer has a .txt file called "new text docu -To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following: +To exclude the new text document.txt file as well as any .txt files in "new folder", you can do the following: **Example 1: Exclude all .txt files in a folder** diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 81f3d94585..acf803b701 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -1,6 +1,7 @@ --- title: USMT Best Practices (Windows 10) -description: Learn about general and security-related best practices when using User State Migration Tool (USMT) 10.0. +description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0. +ms.custom: seo-marvel-apr2020 ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2 ms.reviewer: manager: laurawi diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md index ce5b144011..30930ac481 100644 --- a/windows/deployment/usmt/usmt-common-migration-scenarios.md +++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md @@ -21,7 +21,7 @@ You use the User State Migration Tool (USMT) 10.0 when hardware and/or operatin One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system. -## In This Topic +## In this topic [PC Refresh](#bkmk-pcrefresh) @@ -59,7 +59,7 @@ A company has just received funds to update the operating system on all of its c 1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive. -2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications. +2. On each computer, the administrator installs the company's standard operating environment (SOE) which includes Windows 10 and other company applications. 3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer. @@ -89,7 +89,7 @@ A company has decided to update the operating system on all of its computers to 1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows. -2. On each computer, the administrator installs the company’s SOE which includes company applications. +2. On each computer, the administrator installs the company's SOE which includes company applications. 3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options. @@ -118,13 +118,13 @@ A company is allocating 20 new computers to users in the accounting department. A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store. -1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server. +1. The administrator runs the ScanState tool on each of the manager's old laptops, and saves each user state to a server. 2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications. -3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use. +3. The administrator runs the LoadState tool on the new laptops to migrate the managers' user states to the appropriate computer. The new laptops are now ready for the managers to use. -4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. +4. On the old computers, the administrator installs the company's SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use. ### Scenario Three: Managed network migration diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 6a280b171a..084c869c9a 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -33,7 +33,7 @@ To exclude a component from the Config.xml file, set the **migrate** value to ** -## In This Topic +## In this topic In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. The following elements and parameters are for use in the Config.xml file only. diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index 660d157cfc..fdb0e895c5 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -31,7 +31,7 @@ When you include, exclude, and reroute files and settings, it is important to kn - **You can use the <unconditionalExclude> element to globally exclude data.** This element excludes objects, regardless of any other <include> rules that are in the .xml files. For example, you can use the <unconditionalExclude> element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. -## In This Topic +## In this topic **General** diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index c444a1894a..8c39400821 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -19,7 +19,7 @@ ms.topic: article A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs and enables entirely new migration scenarios. -## In This Topic +## In this topic [When to Use a Hard-Link Migration](#bkmk-when) @@ -75,7 +75,7 @@ A hard link can only be created for a file on the same volume. If you copy a har For more information about hard links, please see [Hard Links and Junctions](https://go.microsoft.com/fwlink/p/?LinkId=132934) -In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place. +In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place. As a best practice, we recommend that you delete the hard-link migration store after you confirm that the Loadstate tool has successfully migrated the files. Since Loadstate has created new paths to the files on your new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files and will not delete the actual files or the paths to them from your new operating system. diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index f592773c30..d86d82ae25 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -18,7 +18,7 @@ ms.localizationpriority: medium It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md). -## In This Topic +## In this topic - [Migrating Local Accounts](#bkmk-8) - [Migrating Domain Accounts](#bkmk-9) diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index 2a52999416..f421c5d9ee 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -17,9 +17,9 @@ ms.topic: article # LoadState Syntax -This topic discusses the **LoadState** command syntax and options. +This topic discusses the **LoadState** command syntax and options available with it. -## In This Topic +## In this topic [Before You Begin](#before) @@ -462,7 +462,7 @@ You can use the **/uel**, **/ue** and **/ui** options together to migrate only t **The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option. -**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. +**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user's profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index 7460f63692..63fcf4af6f 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -251,7 +251,7 @@ The following examples describe common scenarios in which you can use the diagno **Why is this file not migrating when I authored an "include" rule for it?** -Let’s imagine that we have the following directory structure and that we want the “data” directory to be included in the migration along with the “New Text Document.txt” file in the “New Folder.” The directory of **C:\\data** contains: +Let's imagine that we have the following directory structure and that we want the "data" directory to be included in the migration along with the "New Text Document.txt" file in the "New Folder." The directory of **C:\\data** contains: ``` 01/21/2009 10:08 PM . @@ -293,7 +293,7 @@ To migrate these files you author the following migration XML: ``` -However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: +However, upon testing the migration you notice that the "New Text Document.txt" file isn't included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component "DATA1", the following XML section is discovered: ``` xml @@ -312,7 +312,7 @@ However, upon testing the migration you notice that the “New Text Document.txt ``` -Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The <Perform> section details the actual files that were scheduled for gathering and the result of the gathering operation. The “New Text Document.txt” file doesn’t appear in this section, which confirms that the migration rule was not correctly authored. +Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The <Perform> section details the actual files that were scheduled for gathering and the result of the gathering operation. The "New Text Document.txt" file doesn't appear in this section, which confirms that the migration rule was not correctly authored. An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows: @@ -345,7 +345,7 @@ This diagnostic log confirms that the modified <pattern> value enables the **Why is this file migrating when I authored an exclude rule excluding it?** -In this scenario, you have the following directory structure and you want all files in the “data” directory to migrate, except for text files. The **C:\\Data** folder contains: +In this scenario, you have the following directory structure and you want all files in the "data" directory to migrate, except for text files. The **C:\\Data** folder contains: ``` Directory of C:\Data @@ -395,7 +395,7 @@ You author the following migration XML: ``` -However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: +However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component "DATA1", the following XML section is discovered: ``` xml diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index 5ec6da19d3..f8d35246e7 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -51,11 +51,3 @@ There are some scenarios in which the use of USMT is not recommended. These incl ## Related topics - [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md) - - -  - - - - - diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md index 74dbc40088..3c31b7bf4b 100644 --- a/windows/deployment/usmt/usmt-technical-reference.md +++ b/windows/deployment/usmt/usmt-technical-reference.md @@ -12,6 +12,7 @@ audience: itpro author: greg-lindsay ms.date: 04/19/2017 ms.topic: article +ms.custom: seo-marvel-apr2020 --- # User State Migration Tool (USMT) Technical Reference @@ -37,12 +38,12 @@ USMT also includes a set of three modifiable .xml files: Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration. -USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). +USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User's Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). -## In This Section +## In this section |Topic |Description| |------|-----------| -|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what’s new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| +|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what's new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.| |[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.| |[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.| |[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.| diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 564ab2c53c..b3ec645a60 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -43,12 +43,3 @@ For testing purposes, you can create an uncompressed store using the **/hardlink [Plan Your Migration](usmt-plan-your-migration.md) [Log Files](usmt-log-files.md) - - - - - - - - - diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index c05b8c1535..2399213435 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -17,12 +17,10 @@ ms.topic: article # XML Elements Library -## Overview - This topic describes the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). It is assumed that you understand the basics of XML. . -## In This Topic +## In this topic In addition to XML elements and helper functions, this topic describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions. @@ -326,7 +324,7 @@ Syntax: ## <component> -The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component. +The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component. A component can be nested inside another component; that is, the <component> element can be a child of the <role> element within the <component> element in two cases: 1) when the parent <component> element is a container or 2) if the child <component> element has the same role as the parent <component> element. @@ -365,7 +363,7 @@ hidden="Yes|No"> - + @@ -598,7 +596,7 @@ For example: - + @@ -3131,8 +3129,8 @@ This filter helper function can be used to filter the migration of files based o +

    Date: "2008/05/15-2005/05/17", "2008/05/15"

    +

    Size: A numeral with B, KB, MB, or GB at the end. "5GB", "1KB-1MB"

    Yes

    You can use the following to group settings, and define the type of the component.

      -

    • System: Operating system settings. All Windows® components are defined by this type.

      +

    • System: Operating system settings. All Windows® components are defined by this type.

      When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.

    • Application: Settings for an application.

    • Device: Settings for a device.

      • @@ -556,7 +554,7 @@ For example:

    OSType

    Yes

    Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x”, the result will be FALSE.

    Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is "9x", the result will be FALSE.

    OSVersion

    OSType

    Yes

    Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x” the result will be FALSE.

    Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is "9x" the result will be FALSE.

    OSVersion

    valueToCompare

    The value we are comparing. For example:

    -

    Date: “2008/05/15-2005/05/17”, “2008/05/15”

    -

    Size: A numeral with B, KB, MB, or GB at the end. “5GB”, “1KB-1MB”
    @@ -3464,8 +3462,8 @@ Syntax:

You can either:

    -

  1. Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.

    2. -

  2. Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:

    3. +

  3. Specify up to three <role> elements within a <component> — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.

    4. +

  4. Specify one "Container" <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:

<component context="UserAndSystem" type="Application">
   <displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName> 
@@ -3846,7 +3844,7 @@ See the last component in the MigUser.xml file for an example of this element.
 ~~~
 **Example:**
 
-If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
+If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X's profile.
 
 The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
 
@@ -4103,12 +4101,12 @@ Syntax:
 
 
name

 
Yes

-
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify MyComponent.InstallPath.

+
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component's name to avoid namespace collisions. For example, if your component's name is MyComponent, and you want a variable that is your component's install path, you could specify MyComponent.InstallPath.

 
 
 
remap

 
No, default = FALSE

-
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer.

+
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable's value are automatically moved to where the environment variable points on the destination computer.

 
 
 
@@ -4227,27 +4225,27 @@ The following functions are for internal USMT use only. Do not use them in an .x
 
 You can use the following version tags with various helper functions:
 
--   “CompanyName”
+-   "CompanyName"
 
--   “FileDescription”
+-   "FileDescription"
 
--   “FileVersion”
+-   "FileVersion"
 
--   “InternalName”
+-   "InternalName"
 
--   “LegalCopyright”
+-   "LegalCopyright"
 
--   “OriginalFilename”
+-   "OriginalFilename"
 
--   “ProductName”
+-   "ProductName"
 
--   “ProductVersion”
+-   "ProductVersion"
 
 The following version tags contain values that can be compared:
 
--   “FileVersion”
+-   "FileVersion"
 
--   “ProductVersion”
+-   "ProductVersion"
 
 ## Related topics
 
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 5b4f53e98a..bc307dfc3a 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -7,6 +7,7 @@ ms.author: greglin
 author: greg-lindsay
 description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
 keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 893b4f6f7c..e9c419383d 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,6 +1,7 @@
 ---
 title: Activate using Active Directory-based activation (Windows 10)
-description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+ms.custom: seo-marvel-apr2020
 ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
 ms.reviewer: 
 manager: laurawi
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index f4e102124a..952db8ab4a 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -24,8 +24,8 @@ To enable the Volume Activation Management Tool (VAMT) to function correctly, ce
 
 Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
 
-> [IMPORTANT]  
-> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
+> [IMPORTANT]
+> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
 
 ## Configuring the Windows Firewall to allow VAMT access
 
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index c73cbc4546..23c0a83614 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -13,13 +13,14 @@ audience: itpro
 author: greg-lindsay
 ms.date: 04/25/2017
 ms.topic: article
+ms.custom: seo-marvel-apr2020
 ---
 
 # Volume Activation Management Tool (VAMT) Technical Reference
 
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
 VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
--   Windows® 7 or above
+-   Windows® 7 or above
 -   Windows Server 2008 R2 or above
 
 
@@ -28,7 +29,7 @@ VAMT is designed to manage volume activation for: Windows 7, Windows 8, Window
 
 VAMT is only available in an EN-US (x86) package.
 
-## In this Section
+## In this section
 
 |Topic |Description |
 |------|------------|
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 2321163bd1..9bb72ea7bb 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
 |[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index 33f7b49f5e..6a20248ebe 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
 |[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index c10e477cff..8e1f84c95e 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -1,6 +1,7 @@
 ---
 title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
+ms.custom: seo-marvel-apr2020
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 1db27c1143..87baccf225 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,6 +1,6 @@
 ---
-title: Step by step - Deploy Windows 10 using Microsoft Endpoint Configuration Manager
-description: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
+title: Steps to deploy Windows 10 with Microsoft Endpoint Configuration Manager
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft endpoint configuration manager.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -14,6 +14,7 @@ ms.author: greglin
 author: greg-lindsay
 audience: itpro
 ms.topic: article
+ms.custom: seo-marvel-apr2020
 ---
 
 # Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 6b3110a329..a956b7fa4b 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -1,11 +1,12 @@
 ---
 title: Configure a test lab to deploy Windows 10
+description: In this article, you will learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
+ms.custom: seo-marvel-apr2020
 ms.reviewer: 
 manager: laurawi
 ms.audience: itpro
 ms.author: greglin
 author: greg-lindsay
-description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index dba46b0368..fb1755d660 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,7 +1,8 @@
 ---
 title: Windows 10 Subscription Activation
-description: How to dynamically enable Windows 10 Enterprise or Education subscriptions
+description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions.
 keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
@@ -39,7 +40,7 @@ Organizations that have an Enterprise agreement can also benefit from the new se
 
 Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section.
 
-## In this article
+## Summary
 
 - [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
 - [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment.
@@ -60,7 +61,6 @@ To support Inherited Activation, both the host computer and the VM must be runni
 
 ## The evolution of deployment
 
-> [!NOTE] 
 > The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/).
 
 The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
@@ -105,9 +105,9 @@ If the device is running Windows 10, version 1809 or later:
 1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
 2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
 
-   ![Subscription Activation with MFA1](images/sa-mfa1.png)

-   ![Subscription Activation with MFA2](images/sa-mfa2.png)

-   ![Subscription Activation with MFA2](images/sa-mfa3.png)
+![Subscription Activation with MFA example 1](images/sa-mfa1.png)

+![Subscription Activation with MFA example 2](images/sa-mfa2.png)

+![Subscription Activation with MFA example 3](images/sa-mfa3.png)
 
 ### Windows 10 Education requirements
 
@@ -116,8 +116,8 @@ If the device is running Windows 10, version 1809 or later:
 3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
 4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
 
-> [!IMPORTANT]
-> If Windows 10 Pro is converted to Windows 10 Pro Education [by using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device by using a Windows 10 Pro Education edition.
+> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+
 
 ## Benefits
 
@@ -154,10 +154,9 @@ Before Windows 10, version 1903:

 After Windows 10, version 1903:

 ![1903](images/after.png)
 
-> [!NOTE]
-> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
-> 
-> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+Note:
+1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
 
 ### Scenarios
 
@@ -196,8 +195,7 @@ When you have the required Azure AD subscription, group-based licensing is the p
 
 If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
 
-> [!CAUTION]
-> Firmware-embedded Windows 10 activation happens automatically only when we go through the Out-of-Box Experience (OOBE).
+Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
 
 If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
 
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index f0a7008b37..6b57a9ab0d 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -2,7 +2,7 @@
 title: Demonstrate Autopilot deployment
 ms.reviewer:
 manager: laurawi
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
+description: In this article, find step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment.
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -13,7 +13,9 @@ author: greg-lindsay
 ms.author: greglin
 ms.collection: M365-modern-desktop
 ms.topic: article
-ms.custom: autopilot
+ms.custom: 
+ - autopilot
+ - seo-marvel-apr2020
 ---
 
 
@@ -218,20 +220,20 @@ PS C:\autopilot>
 
 Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
 
-   ![Windows setup](images/winsetup1.png)
-   ![Windows setup](images/winsetup2.png)
-   ![Windows setup](images/winsetup3.png)
-   ![Windows setup](images/winsetup4.png)
-   ![Windows setup](images/winsetup5.png)
-   ![Windows setup](images/winsetup6.png)
+   ![Windows setup example 1](images/winsetup1.png)
+   ![Windows setup example 2](images/winsetup2.png)
+   ![Windows setup example 3](images/winsetup3.png)
+   ![Windows setup example 4](images/winsetup4.png)
+   ![Windows setup example 5](images/winsetup5.png)
+   ![Windows setup example 6](images/winsetup6.png)
 
-After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This will offer the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This will offer the fastest way to the desktop. For example:
 
-   ![Windows setup](images/winsetup7.png)
+   ![Windows setup example 7](images/winsetup7.png)
 
 Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
 
-   ![Windows setup](images/winsetup8.png)
+   ![Windows setup example 8](images/winsetup8.png)
 
 To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
 
@@ -244,7 +246,7 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
 ## Capture the hardware ID
 
 > [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory.  The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR).  For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.).  Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory.  The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR).  For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.).  Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
 
 Follow these steps to run the PS script:
 
@@ -303,7 +305,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory
 
 ![Serial number and hardware hash](images/hwid.png)
 
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal.  If you are using a physical device instead of a VM, you can copy the file to a USB stick.  If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal.  If you are using a physical device instead of a VM, you can copy the file to a USB stick.  If you're using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
 
 If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
 
@@ -331,11 +333,11 @@ For this lab, you need an AAD Premium subscription.  You can tell if you have a
 
 ![MDM and Intune](images/mdm-intune2.png)
 
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription.  Auto-enrollment is a feature only available in AAD Premium.
+If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription.  Auto-enrollment is a feature only available in AAD Premium.
 
 To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
 
-![Reset this PC final prompt](images/aad-lic1.png)
+![License conversion option](images/aad-lic1.png)
 
 ## Configure company branding
 
@@ -376,7 +378,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
     > [!NOTE]
     > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI.  You might need to provide Intune configuration privileges in a challenge window that appeared.
 
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer.  The file should contain the serial number and 4K HH of your VM (or device).  It’s okay if other fields (Windows Product ID) are left blank.
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer.  The file should contain the serial number and 4K HH of your VM (or device).  It's okay if other fields (Windows Product ID) are left blank.
 
     ![HWID CSV](images/hwid-csv.png)
 
@@ -409,7 +411,7 @@ Select **Manage** from the top menu, then click the **Windows Autopilot Deployme
 
 Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
 
-![Devices](images/msfb-device.png)
+![Microsoft Store for Business Devices](images/msfb-device.png)
 
 ## Create and assign a Windows Autopilot deployment profile
 
@@ -425,7 +427,7 @@ Pick one:
 > [!NOTE]
 > Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
 
-![Devices](images/intune-devices.png)
+![Intune Devices](images/intune-devices.png)
 
 > The example above lists both a physical device and a VM. Your list should only include only one of these.
 
@@ -473,7 +475,7 @@ To create a Group, open the Azure portal and select **Azure Active Directory** >
 
 ![All groups](images/all-groups.png)
 
-Select New group from the Groups blade to open the new groups UI.  Select the “Security” group type, name the group, and select the “Assigned” membership type:
+Select New group from the Groups blade to open the new groups UI.  Select the "Security" group type, name the group, and select the "Assigned" membership type:
 
 Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
 
@@ -495,9 +497,9 @@ Under **Manage**, click **Assignments**, and then with the **Include** tab highl
 
 Click **Select** and then click **Save**.
 
-![Include group](images/include-group2.png)
+![Include group save](images/include-group2.png)
 
-It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+It's also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
 
 ### Create a Windows Autopilot deployment profile using MSfB
 
@@ -517,15 +519,15 @@ To CREATE the profile:
 
 Select your device from the **Devices** list:
 
-![MSfB create](images/msfb-create1.png)
+![MSfB create step 1](images/msfb-create1.png)
 
 On the Autopilot deployment dropdown menu, select **Create new profile**:
 
-![MSfB create](images/msfb-create2.png)
+![MSfB create step 2](images/msfb-create2.png)
 
 Name the profile, choose your desired settings, and then click **Create**:
 
-![MSfB create](images/msfb-create3.png)
+![MSfB create step 3](images/msfb-create3.png)
 
 The new profile is added to the Autopilot deployment list.
 
@@ -533,25 +535,25 @@ To ASSIGN the profile:
 
 To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
 
-![MSfB assign](images/msfb-assign1.png)
+![MSfB assign step 1](images/msfb-assign1.png)
 
 Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
 
-![MSfB assign](images/msfb-assign2.png)
+![MSfB assign step 2](images/msfb-assign2.png)
 
 > [!IMPORTANT]
 > The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
 
 ## See Windows Autopilot in action
 
-If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
 
 ![Device status](images/device-status.png)
 
 Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
 
 > [!TIP]
-> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting.  If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started.  Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting.  If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started.  Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
 
 - Ensure your device has an internet connection.
 - Turn on the device
@@ -569,21 +571,21 @@ Windows Autopilot will now take over to automatically join your device into Azur
 
 ## Remove devices from Autopilot
 
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it.  Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it.  Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
 
 ### Delete (deregister) Autopilot device
 
 You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**.  Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
 
-![Delete device](images/delete-device1.png)
+![Delete device step 1](images/delete-device1.png)
 
 Click **X** when challenged to complete the operation:
 
-![Delete device](images/delete-device2.png)
+![Delete device step 2](images/delete-device2.png)
 
 This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
 
-![Delete device](images/delete-device3.png)
+![Delete device step 3](images/delete-device3.png)
 
 The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores.  The former (All devices) is the list of devices currently enrolled into Intune.
 
@@ -592,25 +594,25 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment
 
 To remove the device from the Autopilot program, select the device and click Delete.
 
-![Delete device](images/delete-device4.png)
+![Delete device step 4](images/delete-device4.png)
 
 A warning message appears reminding you to first remove the device from Intune, which we previously did.
 
-![Delete device](images/delete-device5.png)
+![Delete device step 5](images/delete-device5.png)
 
 At this point, your device has been unenrolled from Intune and also deregistered from Autopilot.  After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
 
-![Delete device](images/delete-device6.png)
+![Delete device step 6](images/delete-device6.png)
 
 Once the device no longer appears, you are free to reuse it for other purposes.
 
 If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
 
-![Delete device](images/delete-device7.png)
+![Delete device step 7](images/delete-device7.png)
 
 ## Appendix A: Verify support for Hyper-V
 
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
 
 To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
 
@@ -654,19 +656,19 @@ EPT             *       Supports Intel extended page tables (SLAT)
 
 #### Prepare the app for Intune
 
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool).  After downloading the tool, gather the following three bits of information to use the tool:
+Before we can pull an application into Intune to make it part of our AP profile, we need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool).  After downloading the tool, gather the following three bits of information to use the tool:
 
 1. The source folder for your application
 2. The name of the setup executable file
 3. The output folder for the new file
 
-For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+For the purposes of this lab, we'll use the Notepad++ tool as our Win32 app.
 
 Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi.
 
 Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
 
-![Add app](images/app01.png)
+![Add app example](images/app01.png)
 
 After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
 
@@ -676,19 +678,19 @@ Log into the Azure portal and select **Intune**.
 
 Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
 
-![Add app](images/app02.png)
+![Add app step 1](images/app02.png)
 
 Under **App Type**, select **Windows app (Win32)**:
 
-![Add app](images/app03.png)
+![Add app step 2](images/app03.png)
 
 On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
 
-![Add app](images/app04.png)
+![Add app step 3](images/app04.png)
 
 On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
 
-![Add app](images/app05.png)
+![Add app step 4](images/app05.png)
 
 On the **Program Configuration** blade, supply the install and uninstall commands:
 
@@ -698,29 +700,29 @@ Uninstall:  msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
 > [!NOTE]
 > Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
 
-![Add app](images/app06.png)
+![Add app step 5](images/app06.png)
 
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app.  To actually install the program, we need to use the .msi file instead.  Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app.  To actually install the program, we need to use the .msi file instead.  Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
 
 Click **OK** to save your input and activate the **Requirements** blade.
 
 On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
 
-![Add app](images/app07.png)
+![Add app step 6](images/app07.png)
 
 Next, configure the **Detection rules**.  For our purposes, we will select manual format:
 
-![Add app](images/app08.png)
+![Add app step 7](images/app08.png)
 
 Click **Add** to define the rule properties.  For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
 
-![Add app](images/app09.png)
+![Add app step 8](images/app09.png)
 
 Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
 
 **Return codes**:  For our purposes, leave the return codes at their default values:
 
-![Add app](images/app10.png)
+![Add app step 9](images/app10.png)
 
 Click **OK** to exit.
 
@@ -730,11 +732,11 @@ Click the **Add** button to finalize and save your app package.
 
 Once the indicator message says the addition has completed.
 
-![Add app](images/app11.png)
+![Add app step 10](images/app11.png)
 
 You will be able to find your app in your app list:
 
-![Add app](images/app12.png)
+![Add app step 11](images/app12.png)
 
 #### Assign the app to your Intune profile
 
@@ -743,7 +745,7 @@ You will be able to find your app in your app list:
 
 In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 
-![Add app](images/app13.png)
+![Assign app step 1](images/app13.png)
 
 Select **Add Group** to open the **Add group** pane that is related to the app.
 
@@ -753,9 +755,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
 
 Select **Included Groups** and assign the groups you previously created that will use this app:
 
-![Add app](images/app14.png)
+![Assign app step 2](images/app14.png)
 
-![Add app](images/app15.png)
+![Assign app step 3](images/app15.png)
 
 In the **Select groups** pane, click the **Select** button.
 
@@ -765,7 +767,7 @@ In the **Add group** pane, select **OK**.
 
 In the app **Assignments** pane, select **Save**.
 
-![Add app](images/app16.png)
+![Assign app step 4](images/app16.png)
 
 At this point, you have completed steps to add a Win32 app to Intune.
 
@@ -779,15 +781,15 @@ Log into the Azure portal and select **Intune**.
 
 Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
 
-![Add app](images/app17.png)
+![Create app step 1](images/app17.png)
 
 Under **App Type**, select **Office 365 Suite > Windows 10**:
 
-![Add app](images/app18.png)
+![Create app step 2](images/app18.png)
 
 Under the **Configure App Suite** pane, select the Office apps you want to install.  For the purposes of this labe we have only selected Excel:
 
-![Add app](images/app19.png)
+![Create app step 3](images/app19.png)
 
 Click **OK**.
 
@@ -795,13 +797,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s
 
 > Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
 
-![Add app](images/app20.png)
+![Create app step 4](images/app20.png)
 
 Click **OK**.
 
 In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab).  Also select **Yes** for **Automatically accept the app end user license agreement**:
 
-![Add app](images/app21.png)
+![Create app step 5](images/app21.png)
 
 Click **OK** and then click **Add**.
 
@@ -812,7 +814,7 @@ Click **OK** and then click **Add**.
 
 In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 
-![Add app](images/app22.png)
+![Create app step 6](images/app22.png)
 
 Select **Add Group** to open the **Add group** pane that is related to the app.
 
@@ -822,9 +824,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
 
 Select **Included Groups** and assign the groups you previously created that will use this app:
 
-![Add app](images/app23.png)
+![Create app step 7](images/app23.png)
 
-![Add app](images/app24.png)
+![Create app step 8](images/app24.png)
 
 In the **Select groups** pane, click the **Select** button.
 
@@ -834,7 +836,7 @@ In the **Add group** pane, select **OK**.
 
 In the app **Assignments** pane, select **Save**.
 
-![Add app](images/app25.png)
+![Create app step 9](images/app25.png)
 
 At this point, you have completed steps to add Office to Intune.
 
@@ -842,7 +844,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
 
 If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
 
-![Add app](images/app26.png)
+![Create app step 10](images/app26.png)
 
 ## Glossary
 
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 07a8ea153b..2fad5a8fc9 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -36,6 +36,7 @@
     "globalMetadata": {
       "audience": "ITPro",
       "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+      "uhfHeaderId": "MSDocsHeader-M365-IT",
       "ms.technology": "windows",
       "ms.topic": "article",
       "feedback_system": "GitHub",
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 289a9ff9e7..75355791f6 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -42,7 +42,7 @@ landingContent:
         links:
           - text: Configure Windows 10
             url: /windows/configuration/index
-          - text: Accesasibility information for IT Pros
+          - text: Accessibility information for IT Pros
             url: /windows/configuration/windows-10-accessibility-for-itpros
           - text: Configure access to Microsoft Store
             url: /windows/configuration/stop-employees-from-using-microsoft-store
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index f7ff32cbfe..0f24cde486 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -33,6 +33,7 @@
     "externalReference": [],
     "globalMetadata": {
       "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+      "uhfHeaderId": "MSDocsHeader-M365-IT",
       "ms.technology": "windows",
       "audience": "ITPro",
       "ms.topic": "article",
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 41c5fa5a8a..4188fd5ad3 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -30,7 +30,7 @@ ms.reviewer:
 
 Desktop Analytics reports are powered by diagnostic data not included in the Basic level.
 
-In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only the events described below. The Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
 
 With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data.
 
@@ -48,7 +48,7 @@ The following fields are available:
 - **GhostCount_Sum:** Total number of instances where the application stopped responding
 - **HandleCountAtExit_Sum:** Total handle count for a process when it exits
 - **HangCount_Max:** Maximum number of hangs detected
-- **HangCount_Sum:** Total number of application hangs detected
+- **HangCount_Sum:** Total number of application hangs that are detected
 - **HardFaultCountAtExit_Sum:** Total number of hard page faults detected for a process when it exits
 - **HeartbeatCount:** Heartbeats logged for this summary
 - **HeartbeatSuspendedCount:** Heartbeats logged for this summary where the process was suspended
@@ -68,7 +68,7 @@ The following fields are available:
 - **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited          
 
 ## Microsoft.Office.TelemetryEngine.IsPreLaunch
-Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session is launch session or not.
+Applicable for Office UWP applications. This event is fired when an Office application is initiated for the first-time post upgrade/install from the store. It's part of basic diagnostic data. It's used to track whether a particular session is a launch session or not.
 
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
@@ -77,10 +77,10 @@ Applicable for Office UWP applications. This event is fired when an office appli
 - **SessionID:** ID of the session
 
 ## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart
-This event sends basic information upon the start of a new Office session. This is used to count the number of unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running on a device or not. In addition, it serves as a critical signal for overall application reliability.
+This event sends basic information upon the start of a new Office session. It's used to count the number of unique sessions seen on a given device. The event is used as a heartbeat event to ensure that the application is running on a device. In addition, it serves as a critical signal for overall application reliability.
 
-- **AppSessionGuid:** ID of the session which maps to the process of the application
-- **processSessionId:** ID of the session which maps to the process of the application
+- **AppSessionGuid:** ID of the session that maps to the process of the application
+- **processSessionId:** ID of the session that maps to the process of the application
 
 ## Microsoft.Office.TelemetryEngine.SessionHandOff
 Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected.
@@ -89,7 +89,7 @@ Applicable to Win32 Office applications. This event helps us understand whether
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **childSessionID:** Id of the session that was created to handle the user initiated file open
+- **childSessionID:** ID of the session that was created to handle the user initiated file open
 - **parentSessionId:** ID of the session that was already running
 
 ## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata
@@ -102,15 +102,15 @@ Collects Office metadata through UTC to compare with equivalent data collected t
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRevision:** Fourth part of the version *.*.*.XXXXX
-- **audienceGroup:** Is this part of the insiders or production
+- **audienceGroup:** Is this group part of the insiders or production?
 - **audienceId:** ID of the audience setting
 - **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted?
-- **deviceClass:** Is this a desktop or a mobile?
+- **deviceClass:** Is this device a desktop device or a mobile device?
 - **impressionId:** What features were available to you in this session
 - **languageTag:** Language of the app
 - **officeUserID:** A unique identifier tied to the office installation on a particular device.
 - **osArchitecture:** Is the machine 32 bit or 64 bit?
-- **osEnvironment:** Is this a win32 app or a UWP app?
+- **osEnvironment:** Is this app a win32 app or a UWP app?
 - **osVersionString:** Version of the OS
 - **sessionID:** ID of the session
 
@@ -131,7 +131,7 @@ This event is fired when the telemetry engine within an office application is re
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 
 ## Microsoft.Office.TelemetryEngine.FirstProcessed
@@ -141,7 +141,7 @@ This event is fired when the telemetry engine within an office application has p
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 
 ## Microsoft.Office.TelemetryEngine.FirstRuleRequest
@@ -151,7 +151,7 @@ This event is fired when the telemetry engine within an office application has r
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 
 ## Microsoft.Office.TelemetryEngine.Init
@@ -161,18 +161,18 @@ This event is fired when the telemetry engine within an office application has b
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 
 ## Microsoft.Office.TelemetryEngine.Resume
-This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life-cycle.
+This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life cycle.
 
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 
@@ -183,7 +183,7 @@ This event is fired when the telemetry engine within an office application fails
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 
 ## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline
@@ -193,7 +193,7 @@ This event is fired when the telemetry engine within an office application fails
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **SessionID:** ID of the session
 
 ## Microsoft.Office.TelemetryEngine.ShutdownComplete
@@ -204,7 +204,7 @@ This event is fired when the telemetry engine within an office application has p
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 
@@ -215,7 +215,7 @@ This event is fired when the telemetry engine within an office application been
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 
@@ -227,26 +227,26 @@ This event is fired when the telemetry engine within an office application has p
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 - **SuspendType:** Type of suspend
 
 ## Microsoft.Office.TelemetryEngine.SuspendStart
-This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life-cycle.
+This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life cycle.
 
 - **appVersionBuild:** Third part of the version *.*.XXXXX.*
 - **appVersionMajor:** First part of the version X.*.*.*
 - **appVersionMinor:** Second part of the version *.X.*.*
 - **appVersionRev:** Fourth part of the version *.*.*.XXXXX
 - **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
 - **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
 - **SessionID:** ID of the session
 - **SuspendType:** Type of suspend
 
 ## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
-This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Desktop Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices.
+This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve sign-in reliability. Using this event with Desktop Analytics can help organizations monitor and improve sign-in success for different methods (for example, biometric) on managed devices.
 
 The following fields are available:
 
@@ -262,11 +262,11 @@ The following fields are available:
 - **ReturnCode:** Output of the ReportResult function
 - **SessionId:** Session identifier
 - **Sign-in error status:** The sign-in error status
-- **SubStatus:** Sign-in error sub-status
+- **SubStatus:** Sign-in error substatus
 - **UserTag:** Count of the number of times a user has selected a provider
 
 ## Microsoft.Windows.Kernel.Power.OSStateChange
-This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can use this to monitor reliability and performance of managed devices
+This event denotes the transition between operating system states (On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can monitor reliability and performance of managed devices.
 
 The following fields are available:
 
@@ -281,10 +281,10 @@ The following fields are available:
 - **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context
 - **EventSequence:** A sequential number used to evaluate the completeness of the data
 - **LastStateTransition:** ID of the last operating system state transition
-- **LastStateTransitionSub:** ID of the last operating system sub-state transition
+- **LastStateTransitionSub:** ID of the last operating system substate transition
 - **StateDurationMS:** Number of milliseconds spent in the last operating system state
 - **StateTransition:** ID of the operating system state the system is transitioning to
-- **StateTransitionSub:** ID of the operating system sub-state the system is transitioning to
+- **StateTransitionSub:** ID of the operating system substate the system is transitioning to
 - **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot
 - **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot
 - **TransitionsToOn:** Number of transitions to the Powered On state since the last boot
@@ -305,7 +305,7 @@ Sends details about any error codes detected during a failed sign-in.
 The following fields are available:
 
 - **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in
-- **ntsSubstatus:** The NTSTATUS error code sub-status returned from an attempted sign-in 
+- **ntsSubstatus:** The NTSTATUS error code substatus returned from an attempted sign-in 
 
 ## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture
 Indicates that a biometric capture was compared to known templates
@@ -327,7 +327,7 @@ The following field is available:
 - **ticksSinceBoot:** Duration of boot event (milliseconds)
 
 ## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
-This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics organizations can help identify logon problems on managed devices.
+This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics, organizations can help identify logon problems on managed devices.
 
 The following fields are available:
 
@@ -341,7 +341,7 @@ The following fields are available:
 - **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
 
 ## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
-This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve reliability.
+This event describes system tasks that are part of the user logon sequence and helps Microsoft to improve reliability.
 
 The following fields are available:
 
@@ -359,7 +359,7 @@ For a device subject to Windows Information Protection policy, learning events a
 The following fields are available:
 
 - **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
-- **appIdType:** Based on the type of application, this indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
+- **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
 - **appname:** App that triggered the event
 - **status:** Indicates whether errors occurred during WIP learning events
 
@@ -397,11 +397,11 @@ The following fields are available:
 - **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution
 - **MouseInputSec:** Total number of seconds during which there was mouse input
 - **NewProcessCount:** Number of new processes contributing to the aggregate
-- **PartATransform_AppSessionGuidToUserSid:** Flag which influences how other parts of the event are constructed
+- **PartATransform_AppSessionGuidToUserSid:** Flag that influences how other parts of the event are constructed
 - **PenInputSec:** Total number of seconds during which there was pen input
 - **SpeechRecognitionSec:** Total number of seconds of speech recognition
 - **SummaryRound:** Incrementing number indicating the round (batch) being summarized
-- **TargetAsId:** Flag which influences how other parts of the event are constructed
+- **TargetAsId:** Flag that influences how other parts of the event are constructed
 - **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds)
 - **TouchInputSec:** Total number of seconds during which there was touch input
 - **UserActiveDurationMS:** Total time that the user was active including all input methods
@@ -415,7 +415,7 @@ The following fields are available:
 ## Revisions
 
 ### PartA_UserSid removed
-A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event.
+A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This statement was incorrect. The list has been updated to reflect that no such field is present in the event.
 
 ### Office events added
 In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics.
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 956ca7dc78..c72bdf03e9 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1659,7 +1659,7 @@ You can turn off **Enhanced Notifications** as follows:
 
   -or-
 
-- Create a new REG_SZ registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** to a value of **1**.
+- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**.
 
 
 ### 24.1 Windows Defender SmartScreen
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index a1832d8486..b1c3b25c91 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1638,7 +1638,7 @@ The following fields are available:
 - **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
 - **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
 - **OSEdition**  Retrieves the version of the current OS.
-- **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc.
 - **OSOOBEDateTime**  Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
 - **OSSKU**  Retrieves the Friendly Name of OS Edition.
 - **OSSubscriptionStatus**  Represents the existing status for enterprise subscription feature for PRO machines.
@@ -1786,7 +1786,7 @@ This event sends data about the current user's default preferences for browser a
 The following fields are available:
 
 - **CalendarType**  The calendar identifiers that are used to specify different calendars.
-- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultApp**  The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
 - **DefaultBrowserProgId**  The ProgramId of the current user's default browser.
 - **LocaleName**  Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function.
 - **LongDateFormat**  The long date format the user has selected.
@@ -6052,7 +6052,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Sense.Client.PerformanceScript.OnboardingScript
 
-This event is triggered whenever WDATP onboarding script is run. The data collected with this event is used to keep Windows performing properly.
+This event is triggered whenever Microsoft Defender for Endpoint onboarding script is run. The data collected with this event is used to keep Windows performing properly.
 
 The following fields are available:
 
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index ef7ec52739..ffa7858d15 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -42,7 +42,7 @@ Most diagnostic events contain a header of common data:
 
 | Category Name | Examples |
 | - | - |
-| Common Data | Information that is added to most diagnostic events, if relevant and available:
  • OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
  • User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
  • Xbox UserID
  • Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
  • The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
  • HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.
  • Various IDs that are used to correlate and sequence related events together.
  • Device ID. This is not the user provided device name, but an ID that is unique for that device.
  • Device class -- Desktop, Server, or Mobile
  • Event collection time
  • Diagnostic level --  Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
 |
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
  • OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
  • User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
  • Xbox UserID
  • Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
  • The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
  • HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.
  • Various IDs that are used to correlate and sequence related events together.
  • Device ID. This ID is not the user provided device name, but an ID that is unique for that device.
  • Device class - Desktop, Server, or Mobile
  • Event collection time
  • Diagnostic level -  Basic or Full, Sample level - for sampled data, what sample level is this device opted into
 |
 
 ## ​Device, Connectivity, and Configuration data
 
@@ -50,38 +50,38 @@ This type of data includes details about the device, its configuration and conne
 
 | Category Name |  Examples |
 | - | - |
-| Device properties | Information about the OS and device hardware, such as:
  •  OS - version name, Edition
  • Installation type, subscription status, and genuine OS status
  • Processor architecture, speed, number of cores, manufacturer, and model
  • OEM details --manufacturer, model, and serial number
  • Device identifier and Xbox serial number
  • Firmware/BIOS -- type, manufacturer, model, and version
  • Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
  • Storage -- total capacity and disk type
  • Battery -- charge capacity and InstantOn support
  • Hardware chassis type, color, and form factor
  • Is this a virtual machine?
 |
-| Device capabilities | Information about the specific device capabilities such as:
  • Camera -- whether the device has a front facing, a rear facing camera, or both.
  • Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?
  • Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
  • Trusted Platform Module (TPM) – whether present and what version
  • Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
  • Voice – whether voice interaction is supported and the number of active microphones
  • Number of displays, resolutions, DPI
  • Wireless capabilities
  • OEM or platform face detection
  • OEM or platform video stabilization and quality level set
  • Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
 |
-| Device preferences and settings | Information about the device settings and user preferences such as:
  • User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
  • User-provided device name
  • Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)
  • Hashed representation of the domain name
  • MDM (mobile device management) enrollment settings and status
  • BitLocker, Secure Boot, encryption settings, and status
  • Windows Update settings and status
  • Developer Unlock settings and status
  • Default app choices
  • Default browser choice
  • Default language settings for app, input, keyboard, speech, and display
  • App store update settings
  • Enterprise OrganizationID, Commercial ID
 |
-| Device peripherals | Information about the device peripherals such as:
  • Peripheral name, device model, class, manufacturer and description
  • Peripheral device state, install state, and checksum
  • Driver name, package name, version, and manufacturer
  • HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
  • Driver state, problem code, and checksum
  • Whether driver is kernel mode, signed, and image size
 |
-| Device network info | Information about the device network configuration such as:
  • Network system capabilities
  • Local or Internet connectivity status
  • Proxy, gateway, DHCP, DNS details and addresses
  • Paid or free network
  • Wireless driver is emulated or not
  • Access point mode capable
  • Access point manufacturer, model, and MAC address
  • WDI Version
  • Name of networking driver service
  • Wi-Fi Direct details
  • Wi-Fi device hardware ID and manufacturer
  • Wi-Fi scan attempt counts and item counts
  • Mac randomization is supported/enabled or not
  • Number of spatial streams and channel frequencies supported
  • Manual or Auto Connect enabled
  • Time and result of each connection attempt
  • Airplane mode status and attempts
  • Interface description provided by the manufacturer
  • Data transfer rates
  • Cipher algorithm
  • Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
  • Mobile operator and service provider name
  • Available SSIDs and BSSIDs
  • IP Address type -- IPv4 or IPv6
  • Signal Quality percentage and changes
  • Hotspot presence detection and success rate
  • TCP connection performance
  • Miracast device names
  • Hashed IP address

+| Device properties | Information about the OS and device hardware, such as:
  •  OS - version name, Edition
  • Installation type, subscription status, and genuine OS status
  • Processor architecture, speed, number of cores, manufacturer, and model
  • OEM details - manufacturer, model, and serial number
  • Device identifier and Xbox serial number
  • Firmware/BIOS - type, manufacturer, model, and version
  • Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory
  • Storage - total capacity and disk type
  • Battery - charge capacity and InstantOn support
  • Hardware chassis type, color, and form factor
  • Is this machine a virtual machine?
 |
+| Device capabilities | Information about the specific device capabilities such as:
  • Camera - whether the device has a front facing, a rear facing camera, or both.
  • Touch screen - does the device include a touch screen? If so, how many hardware touch points are supported?
  • Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
  • Trusted Platform Module (TPM) – whether present and what version
  • Virtualization hardware - whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
  • Voice – whether voice interaction is supported and the number of active microphones
  • Number of displays, resolutions, DPI
  • Wireless capabilities
  • OEM or platform face detection
  • OEM or platform video stabilization and quality level set
  • Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
 |
+| Device preferences and settings | Information about the device settings and user preferences such as:
  • User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
  • User-provided device name
  • Whether device is domain-joined, or cloud-domain joined (that is, part of a company-managed network)
  • Hashed representation of the domain name
  • MDM (mobile device management) enrollment settings and status
  • BitLocker, Secure Boot, encryption settings, and status
  • Windows Update settings and status
  • Developer Unlock settings and status
  • Default app choices
  • Default browser choice
  • Default language settings for app, input, keyboard, speech, and display
  • App store update settings
  • Enterprise OrganizationID, Commercial ID
 |
+| Device peripherals | Information about the device peripherals such as:
  • Peripheral name, device model, class, manufacturer, and description
  • Peripheral device state, install state, and checksum
  • Driver name, package name, version, and manufacturer
  • HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
  • Driver state, problem code, and checksum
  • Whether driver is kernel mode, signed, and image size
 |
+| Device network info | Information about the device network configuration such as:
  • Network system capabilities
  • Local or Internet connectivity status
  • Proxy, gateway, DHCP, DNS details, and addresses
  • Paid or free network
  • Wireless driver is emulated or not
  • Access point mode capable
  • Access point manufacturer, model, and MAC address
  • WDI Version
  • Name of networking driver service
  • Wi-Fi Direct details
  • Wi-Fi device hardware ID and manufacturer
  • Wi-Fi scan attempt counts and item counts
  • Mac randomization is supported/enabled or not
  • Number of spatial streams and channel frequencies supported
  • Manual or Auto Connect enabled
  • Time and result of each connection attempt
  • Airplane mode status and attempts
  • Interface description provided by the manufacturer
  • Data transfer rates
  • Cipher algorithm
  • Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
  • Mobile operator and service provider name
  • Available SSIDs and BSSIDs
  • IP Address type - IPv4 or IPv6
  • Signal Quality percentage and changes
  • Hotspot presence detection and success rate
  • TCP connection performance
  • Miracast device names
  • Hashed IP address

 
 ## Product and Service Usage data
 
-This type of data includes details about the usage of the device, operating system, applications and services. 
+This type of data includes details about the usage of the device, operating system, applications, and services. 
 
 | Category Name | Examples |
 | - | - |
-| App usage | Information about Windows and application usage such as:
  • OS component and app feature usage
  • User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites.
  • Time of and count of app/component launches, duration of use, session GUID, and process ID
  • App time in various states – running foreground or background, sleeping, or receiving active user interaction
  • User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
  • Cortana launch entry point/reason
  • Notification delivery requests and status
  • Apps used to edit images and videos
  • SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
  • Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
  • Emergency alerts are received or displayed statistics
  • Content searches within an app
  • Reading activity -- bookmarking used, print used, layout changed
|
-| App or product state | Information about Windows and application state such as:
  • Start Menu and Taskbar pins
  • Online/Offline status
  • App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
  • Personalization impressions delivered
  • Whether the user clicked or hovered on UI controls or hotspots
  • User feedback Like or Dislike or rating was provided
  • Caret location or position within documents and media files -- how much of a book has been read in a single session or how much of a song has been listened to.
|
+| App usage | Information about Windows and application usage such as:
  • OS component and app feature usage
  • User navigation and interaction with app and Windows features. This information could include user input, such as the name of a new alarm set, user menu choices, or user favorites.
  • Time of and count of app/component launches, duration of use, session GUID, and process ID
  • App time in various states – running foreground or background, sleeping, or receiving active user interaction
  • User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
  • Cortana launch entry point/reason
  • Notification delivery requests and status
  • Apps used to edit images and videos
  • SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
  • Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
  • Emergency alerts are received or displayed statistics
  • Content searches within an app
  • Reading activity - bookmarking used, print used, layout changed
|
+| App or product state | Information about Windows and application state such as:
  • Start Menu and Taskbar pins
  • Online/Offline status
  • App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
  • Personalization impressions delivered
  • Whether the user clicked or hovered on UI controls or hotspots
  • User feedback Like or Dislike or rating was provided
  • Caret location or position within documents and media files - how much of a book has been read in a single session or how much of a song has been listened to.
|
 | Login properties | 
  • Login success or failure
  • Login sessions and state
|
 
 
 ## Product and Service Performance data
 
-This type of data includes details about the health of the device, operating system, apps and drivers.
+This type of data includes details about the health of the device, operating system, apps, and drivers.
 
 | Category Name | Description and Examples |
 | - | - |
-|Device health and crash data | Information about the device and software health such as:
  • Error codes and error messages, name and ID of the app, and process reporting the error
  • DLL library predicted to be the source of the error -- xyz.dll
  • System generated files -- app or product logs and trace files to help diagnose a crash or hang
  • System settings such as registry keys
  • User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
  • Details and counts of abnormal shutdowns, hangs, and crashes
  • Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
  • Crash and Hang dumps
    • The recorded state of the working memory at the point of the crash.
    • Memory in use by the kernel at the point of the crash.
    • Memory in use by the application at the point of the crash.
    • All the physical memory used by Windows at the point of the crash.
    • Class and function name within the module that failed.
     |
-|Device performance and reliability data | Information about the device and software performance such as:
    • User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
    • Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
    • In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
    • User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
    • UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
    • Disk footprint -- Free disk space, out of memory conditions, and disk score.
    • Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
    • Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
    • Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
    • Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
    • Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
    • Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
    • Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
    |
-|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
    • Video Width, height, color pallet, encoding (compression) type, and encryption type
    • Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
    • URL for a specific two second chunk of content if there is an error
    • Full screen viewing mode details|
-|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
      • Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
      • Content type (video, audio, surround audio)
      • Local media library collection statistics -- number of purchased tracks, number of playlists
      • Region mismatch -- User OS Region, and Xbox Live region
      |
-|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
      • App accessing content and status and options used to open a Microsoft Store book
      • Language of the book
      • Time spent reading content
      • Content type and size details
      |
-|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening or habits.
      • File source data -- local, SD card, network device, and OneDrive
      • Image & video resolution, video length, file sizes types and encoding
      • Collection view or full screen viewer use and duration of view
    |
-|On-device file query | Information about local search activity on the device such as: 
    • Kind of query issued and index type (ConstraintIndex, SystemIndex)
    • Number of items requested and retrieved
    • File extension of search result user interacted with
    • Launched item kind, file extension, index of origin, and the App ID of the opening app.
    • Name of process calling the indexer and time to service the query.
    • A hash of the search scope (file, Outlook, OneNote, IE history) 
    • The state of the indices (fully optimized, partially optimized, being built)
     |
-|Purchasing| Information about purchases made on the device such as:
    • Product ID, edition ID and product URI
    • Offer details -- price
    • Order requested date/time
    • Store client type -- web or native client
    • Purchase quantity and price
    • Payment type -- credit card type and PayPal
     |
-|Entitlements | Information about entitlements on the device such as:
    • Service subscription status and errors
    • DRM and license rights details -- Groove subscription or OS volume license
    • Entitlement ID, lease ID, and package ID of the install package
    • Entitlement revocation
    • License type (trial, offline vs online) and duration
    • License usage session
     |
+|Device health and crash data | Information about the device and software health such as:
    • Error codes and error messages, name and ID of the app, and process reporting the error
    • DLL library predicted to be the source of the error - xyz.dll
    • System-generated files - app or product logs and trace files to help diagnose a crash or hang
    • System settings such as registry keys
    • User-generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
    • Details and counts of abnormal shutdowns, hangs, and crashes
    • Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
    • Crash and Hang dumps
      • The recorded state of the working memory at the point of the crash.
      • Memory in use by the kernel at the point of the crash.
      • Memory in use by the application at the point of the crash.
      • All the physical memory used by Windows at the point of the crash.
      • Class and function name within the module that failed.
       |
+|Device performance and reliability data | Information about the device and software performance such as:
      • User Interface interaction durations - Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
      • Device on/off performance - Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
      • In-app responsiveness - time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
      • User input responsiveness – onscreen keyboard invocation times for different languages, time to show autocomplete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
      • UI and media performance and glitches/smoothness - video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
      • Disk footprint - Free disk space, out of memory conditions, and disk score.
      • Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
      • Background task performance - download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
      • Peripheral and devices - USB device connection times, time to connect to a wireless display, printing times, network availability, and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP, and so on), smart card authentication times, automatic brightness environmental response times
      • Device setup - first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
      • Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, autobrightness details, time device is plugged into AC vs. battery, battery state transitions
      • Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
      • Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
      |
+|Movies|Information about movie consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
      • Video Width, height, color pallet, encoding (compression) type, and encryption type
      • Instructions for how to stream content for the user - the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
      • URL for a specific two-second chunk of content if there is an error
      • Full screen viewing mode details|
+|Music & TV|Information about music and TV consumption on the device. This information isn't intended to capture user viewing, listening, or habits.
        • Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
        • Content type (video, audio, surround audio)
        • Local media library collection statistics - number of purchased tracks, number of playlists
        • Region mismatch - User OS Region, and Xbox Live region
        |
+|Reading|Information about reading consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
        • App accessing content and status and options used to open a Microsoft Store book
        • Language of the book
        • Time spent reading content
        • Content type and size details
        |
+|Photos App|Information about photos usage on the device. This information isn't intended to capture user viewing, listening, or habits.
        • File source data - local, SD card, network device, and OneDrive
        • Image & video resolution, video length, file sizes types and encoding
        • Collection view or full screen viewer use and duration of view
      |
+|On-device file query | Information about local search activity on the device such as: 
      • Type of query issued and index type (ConstraintIndex, SystemIndex)
      • Number of items requested and retrieved
      • File extension of search result user interacted with
      • Launched item kind, file extension, index of origin, and the App ID of the opening app.
      • Name of process calling the indexer and time to service the query.
      • A hash of the search scope (file, Outlook, OneNote, IE history) 
      • The state of the indices (fully optimized, partially optimized, being built)
       |
+|Purchasing| Information about purchases made on the device such as: 
      • Product ID, edition ID, and product URI
      • Offer details - price
      • Order requested date/time
      • Store client type - web or native client
      • Purchase quantity and price
      • Payment type - credit card type and PayPal
       |
+|Entitlements | Information about entitlements on the device such as:
      • Service subscription status and errors
      • DRM and license rights details - Groove subscription or OS volume license
      • Entitlement ID, lease ID, and package ID of the install package
      • Entitlement revocation
      • License type (trial, offline versus online) and duration
      • License usage session
       |
 
 ## Software Setup and Inventory data
 
@@ -90,7 +90,7 @@ This type of data includes software installation and update information on the d
 | Category Name | Data Examples |
 | - | - |
 | Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
      • App, driver, update package, or component’s Name, ID, or Package Family Name
      • Product, SKU, availability, catalog, content, and Bundle IDs
      • OS component, app or driver publisher, language, version and type (Win32 or UWP)
      • Install date, method, and install directory, count of install attempts
      • MSI package code and product code
      • Original OS version at install time
      • User or administrator or mandatory installation/update
      • Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
       |
-| Device update information | Information about Windows Update such as:
      • Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
      • Number of applicable updates, importance, type
      • Update download size and source -- CDN or LAN peers
      • Delay upgrade status and configuration
      • OS uninstall and rollback status and count
      • Windows Update server and service URL
      • Windows Update machine ID
      • Windows Insider build details
      
+| Device update information | Information about Windows Update such as:
      • Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
      • Number of applicable updates, importance, type
      • Update download size and source - CDN or LAN peers
      • Delay upgrade status and configuration
      • OS uninstall and rollback status and count
      • Windows Update server and service URL
      • Windows Update machine ID
      • Windows Insider build details
      
 
 ## Browsing History data
 
@@ -98,7 +98,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
 
 | Category Name | Description and Examples |
 | - | - |
-| Microsoft browser data | Information about Address bar and search box performance on the device such as:
      • Text typed in address bar and search box
      • Text selected for Ask Cortana search
      • Service response time 
      • Auto-completed text if there was an auto-complete
      • Navigation suggestions provided based on local history and favorites
      • Browser ID
      • URLs (which may include search terms)
      • Page title
      |
+| Microsoft browser data | Information about Address bar and search box performance on the device such as:
      • Text typed in address bar and search box
      • Text selected for Ask Cortana search
      • Service response time 
      • Autocompleted text if there was an autocomplete
      • Navigation suggestions provided based on local history and favorites
      • Browser ID
      • URLs (which may include search terms)
      • Page title
      |
 
 
 ## Inking Typing and Speech Utterance data
@@ -107,4 +107,4 @@ This type of data gathers details about the voice, inking, and typing input feat
 
 | Category Name | Description and Examples |
 | - | - |
-| Voice, inking, and typing | Information about voice, inking and typing features such as:
      • Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
      • Pen gestures (click, double click, pan, zoom, rotate)
      • Palm Touch x,y coordinates
      • Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
      • Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
      • Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
      • Text of speech recognition results -- result codes and recognized text
      • Language and model of the recognizer, System Speech language
      • App ID using speech features
      • Whether user is known to be a child
      • Confidence and Success/Failure of speech recognition
       |
+| Voice, inking, and typing | Information about voice, inking, and typing features such as:
      • Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
      • Pen gestures (click, double-click, pan, zoom, rotate)
      • Palm Touch x,y coordinates
      • Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
      • Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
      • Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
      • Text of speech recognition results - result codes and recognized text
      • Language and model of the recognizer, System Speech language
      • App ID using speech features
      • Whether user is known to be a child
      • Confidence and Success/Failure of speech recognition
       |
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 150b4905bd..2fc94568eb 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -28,7 +28,7 @@ Applies to:
 
 Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
 
-In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
+In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
 
 The data covered in this article is grouped into the following types:
 
@@ -52,21 +52,21 @@ Header data supports the use of data associated with all diagnostic events. Ther
 
 Information that is added to most diagnostic events, if relevant and available:
 
-- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
+- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
 - Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
 - Event collection time (8.2.3.2.2 Telemetry data)
-- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
+- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
 - Xbox UserID (8.2.5 Account data)
-- Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
-- Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
-- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
+- Device ID - This ID is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
+- Device class - Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
+- Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
 - Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
 - HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
 - Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
 
 
 ## Device, Connectivity, and Configuration data
-This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
+This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
 
 ### Data Use for Device, Connectivity, and Configuration data 
 
@@ -88,41 +88,41 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
 
 - Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
 
-- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.  
+- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These apps might be free or paid.  
   
 ### Data Description for Device, Connectivity, and Configuration data type
 
-**Device properties sub-type:** Information about the operating system and device hardware
+**Device properties subtype:** Information about the operating system and device hardware
 
 - Operating system - version name, edition
 - Installation type, subscription status, and genuine operating system status
 - Processor architecture, speed, number of cores, manufacturer, and model
-- OEM details --manufacturer, model, and serial number
+- OEM details - manufacturer, model, and serial number
 - Device identifier and Xbox serial number
-- Firmware/BIOS operating system -- type, manufacturer, model, and version
-- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
-- Storage -- total capacity and disk type
-- Battery -- charge capacity and InstantOn support
+- Firmware/BIOS operating system - type, manufacturer, model, and version
+- Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory
+- Storage - total capacity and disk type
+- Battery - charge capacity and InstantOn support
 - Hardware chassis type, color, and form factor
-- Is this a virtual machine?
+- Is this machine a virtual machine?
 
-**Device capabilities sub-type:** Information about the capabilities of the device
+**Device capabilities subtype:** Information about the capabilities of the device
 
-- Camera -- whether the device has a front facing camera, a rear facing camera, or both.
-- Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
-- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
-- Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
-- Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
-- Voice -- whether voice interaction is supported and the number of active microphones
+- Camera - whether the device has a front facing camera, a rear facing camera, or both.
+- Touch screen - Does the device have a touch screen? If yes, how many hardware touch points are supported?
+- Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
+- Trusted Platform Module (TPM) - whether a TPM exists and if yes, what version
+- Virtualization hardware - whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
+- Voice - whether voice interaction is supported and the number of active microphones
 - Number of displays, resolutions, and DPI
 - Wireless capabilities
 - OEM or platform face detection
 - OEM or platform video stabilization and quality-level set
 - Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
 
-**Device preferences and settings sub-type:** Information about the device settings and user preferences
+**Device preferences and settings subtype:** Information about the device settings and user preferences
 
-- User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
+- User Settings - System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
 - User-provided device name
 - Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
 - Hashed representation of the domain name
@@ -136,7 +136,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
 - App store update settings
 - Enterprise OrganizationID, Commercial ID
 
-**Device peripherals sub-type:** Information about the peripherals of the device
+**Device peripherals subtype:** Information about the peripherals of the device
 
 - Peripheral name, device model, class, manufacturer, and description
 - Peripheral device state, install state, and checksum
@@ -145,7 +145,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
 - Driver state, problem code, and checksum
 - Whether driver is kernel mode, signed, and image size
 
-**Device network info sub-type:** Information about the device network configuration
+**Device network info subtype:** Information about the device network configuration
 
 - Network system capabilities
 - Local or Internet connectivity status
@@ -170,7 +170,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
 - Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
 - Mobile operator and service provider name
 - Available SSIDs and BSSIDs
-- IP Address type -- IPv4 or IPv6
+- IP Address type - IPv4 or IPv6
 - Signal Quality percentage and changes
 - Hotspot presence detection and success rate
 - TCP connection performance
@@ -178,7 +178,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
 - Hashed IP address
 
 ## Product and Service Usage data
-This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
 
 ### Data Use for Product and Service Usage data
 
@@ -195,16 +195,16 @@ This type of data includes details about the usage of the device, operating syst
 **With (optional) Tailored experiences:**
      
 If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
 
-- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
-- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
+- If data shows that a user has not used a particular feature of Windows, we might recommend that the user try that feature.
+- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid.
 
 
 ### Data Description for Product and Service Usage data type
 
-**App usage sub-type:** Information about Windows and application usage
+**App usage subtype:** Information about Windows and application usage
 
 - Operating system component and app feature usage
-- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
+- User navigation and interaction with app and Windows features. This information could include user input, such as the name of a new alarm set, user menu choices, or user favorites
 - Time of and count of app and component launches, duration of use, session GUID, and process ID
 - App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
 - User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
@@ -215,9 +215,9 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 - Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
 - Emergency alerts are received or displayed statistics
 - Content searches within an app
-- Reading activity -- bookmarked, printed, or had the layout changed
+- Reading activity - bookmarked, printed, or had the layout changed
 
-**App or product state sub-type:** Information about Windows and application state
+**App or product state subtype:** Information about Windows and application state
 
 - Start Menu and Taskbar pins
 - Online and offline status
@@ -225,18 +225,18 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 - Personalization impressions delivered
 - Whether the user clicked on, or hovered over, UI controls or hotspots
 - User provided feedback, such as Like, Dislike or a rating
-- Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
+- Caret location or position within documents and media files - how much has been read in a book in a single session, or how much of a song has been listened to.
 
-**Purchasing sub-type:** Information about purchases made on the device
+**Purchasing subtype:** Information about purchases made on the device
 
-- Product ID, edition ID and product URI
-- Offer details -- price
+- Product ID, edition ID, and product URI
+- Offer details - price
 - Date and time an order was requested
-- Microsoft Store client type -- web or native client
+- Microsoft Store client type - web or native client
 - Purchase quantity and price
-- Payment type -- credit card type and PayPal
+- Payment type - credit card type and PayPal
 
-**Login properties sub-type:** Information about logins on the device
+**Login properties subtype:** Information about logins on the device
 
 - Login success or failure
 - Login sessions and state
@@ -259,21 +259,21 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 
 - Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
 - If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
-- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
+- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These apps might be free or paid.
 
 **Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
 
 ### Data Description for Product and Service Performance data type
 
-**Device health and crash data sub-type:** Information about the device and software health
+**Device health and crash data subtype:** Information about the device and software health
 
 - Error codes and error messages, name and ID of the app, and process reporting the error
-- DLL library predicted to be the source of the error -- for example, xyz.dll
-- System generated files -- app or product logs and trace files to help diagnose a crash or hang
+- DLL library predicted to be the source of the error - for example, xyz.dll
+- System-generated files - app or product logs and trace files to help diagnose a crash or hang
 - System settings, such as registry keys
-- User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
+- User-generated files - files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
 - Details and counts of abnormal shutdowns, hangs, and crashes
-- Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
+- Crash failure data - operating system, operating system component, driver, device, and first-party and third-party app data
 - Crash and hang dumps, including:
     - The recorded state of the working memory at the point of the crash
     - Memory in-use by the kernel at the point of the crash.
@@ -281,43 +281,43 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
     - All the physical memory used by Windows at the point of the crash
     - Class and function name within the module that failed.
 
-**Device performance and reliability data sub-type:** Information about the device and software performance
+**Device performance and reliability data subtype:** Information about the device and software performance
 
-- User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
-- Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
-- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
-- User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
-- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
-- Disk footprint -- Free disk space, out of memory conditions, and disk score
-- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
-- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
-- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
-- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
-- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
-- Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
-- Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
+- User interface interaction durations - Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
+- Device on and off performance - Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
+- In-app responsiveness - time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
+- User input responsiveness - onscreen keyboard invocation times for different languages, time to show autocomplete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
+- UI and media performance and glitches versus smoothness - video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
+- Disk footprint - Free disk space, out of memory conditions, and disk score
+- Excessive resource utilization - components impacting performance or battery life through high CPU usage during different screen and power states
+- Background task performance - download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
+- Peripheral and devices - USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
+- Device setup - first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
+- Power and Battery life - power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, autobrightness details, time device is plugged into AC versus battery, and battery state transitions
+- Service responsiveness - Service URI, operation, latency, service success and error codes, and protocol
+- Diagnostic heartbeat - regular signal used to validate the health of the diagnostics system
 
-**Movies sub-type:** Information about movie consumption functionality on the device
+**Movies subtype:** Information about movie consumption functionality on the device
 
 > [!NOTE]
 > This isn't intended to capture user viewing, listening, or habits.
  
 - Video Width, height, color palette, encoding (compression) type, and encryption type
-- Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
+- Instructions about how to stream content for the user - the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
 - URL for a specific two-second chunk of content if there is an error
 - Full-screen viewing mode details
 
-**Music & TV sub-type:** Information about music and TV consumption on the device
+**Music & TV subtype:** Information about music and TV consumption on the device
 
 > [!NOTE]
 > This isn't intended to capture user viewing, listening, or habits.
 
-- Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
+- Service URL for song being downloaded from the music service - collected when an error occurs to facilitate restoration of service
 - Content type (video, audio, or surround audio)
-- Local media library collection statistics -- number of purchased tracks and number of playlists
-- Region mismatch -- User's operating system region and Xbox Live region
+- Local media library collection statistics - number of purchased tracks and number of playlists
+- Region mismatch - User's operating system region and Xbox Live region
 
-**Reading sub-type:** Information about reading consumption functionality on the device
+**Reading subtype:** Information about reading consumption functionality on the device
 
 > [!NOTE]
 > This isn't intended to capture user viewing, listening, or habits.
@@ -327,42 +327,42 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 - Time spent reading content
 - Content type and size details
 
-**Photos app sub-type:** Information about photos usage on the device
+**Photos app subtype:** Information about photos usage on the device
 
 > [!NOTE]
 > This isn't intended to capture user viewing, listening, or habits.
 
-- File source data -- local, SD card, network device, and OneDrive
+- File source data - local, SD card, network device, and OneDrive
 - Image and video resolution, video length, file sizes types, and encoding
 - Collection view or full screen viewer use and duration of view
 
-**On-device file query sub-type:** Information about local search activity on the device
+**On-device file query subtype:** Information about local search activity on the device
 
-- Kind of query issued and index type (ConstraintIndex or SystemIndex)
+- Type of query issued and index type (ConstraintIndex or SystemIndex)
 - Number of items requested and retrieved
 - File extension of search result with which the user interacted
 - Launched item type, file extension, index of origin, and the App ID of the opening app
 - Name of process calling the indexer and the amount of time to service the query
 - A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
 
-**Entitlements sub-type:** Information about entitlements on the device
+**Entitlements subtype:** Information about entitlements on the device
 
 - Service subscription status and errors
-- DRM and license rights details -- Groove subscription or operating system volume license
+- DRM and license rights details - Groove subscription or operating system volume license
 - Entitlement ID, lease ID, and package ID of the install package
 - Entitlement revocation
 - License type (trial, offline versus online) and duration
 - License usage session
 
 ## Software Setup and Inventory data
-This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
 
 ### Data Use for Software Setup and Inventory data
 
 **For Diagnostics:**
      
 [Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
 
-- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
+- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update.
 - Data about when a download starts and finishes on a device is used to understand and address download problems.
 - Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
 - Data about the antimalware installed on a device is used to understand malware transmissions vectors.
@@ -374,7 +374,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 
 ### Data Description for Software Setup and Inventory data type
 
-**Installed applications and install history sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Installed applications and install history subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
 
 - App, driver, update package, or component’s Name, ID, or Package Family Name
 - Product, SKU, availability, catalog, content, and Bundle IDs
@@ -383,13 +383,13 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 - MSI package and product code
 - Original operating system version at install time
 - User, administrator, or mandatory installation or update
-- Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
+- Installation type - clean install, repair, restore, OEM, retail, upgrade, or update
 
-**Device update information sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Device update information subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
 
 - Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
 - Number of applicable updates, importance, and type
-- Update download size and source -- CDN or LAN peers
+- Update download size and source - CDN or LAN peers
 - Delay upgrade status and configuration
 - Operating system uninstall and rollback status and count
 - Windows Update server and service URL
@@ -397,7 +397,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 - Windows Insider build details
 
 ## Browsing History data
-This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
+This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client-side browsing history.
 
 ### Data Use for Browsing History data
 
@@ -413,23 +413,23 @@ This type of data includes details about web browsing in the Microsoft browsers.
 **With (optional) Tailored experiences:**
       
 If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
 
-- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
+- We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
 
 ### Data Description for Browsing History data type
 
-**Microsoft browser data sub-type:** Information about **Address** bar and **Search** box performance on the device
+**Microsoft browser data subtype:** Information about **Address** bar and **Search** box performance on the device
 
 - Text typed in **Address** bar and **Search** box
 - Text selected for an Ask Cortana search
 - Service response time
-- Auto-completed text, if there was an auto-complete
+- Autocompleted text, if there was an autocomplete
 - Navigation suggestions provided based on local history and favorites
 - Browser ID
 - URLs (may include search terms)
 - Page title
 
 ## Inking Typing and Speech Utterance data
-This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
+This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
 
 ### Data Use for Inking, Typing, and Speech Utterance data
 
@@ -438,7 +438,7 @@ This type of data gathers details about the voice, inking, and typing input feat
 
 - Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
 - Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
-- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
+- Data about autocorrected words that were restored back to the original word by the user is used to improve the autocorrect feature.
 - Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
 - Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. 
 
@@ -448,15 +448,15 @@ This type of data gathers details about the voice, inking, and typing input feat
 
 ### Data Description for Inking, Typing, and Speech Utterance data type
 
-**Voice, inking, and typing sub-type:** Information about voice, inking and typing features
+**Voice, inking, and typing subtype:** Information about voice, inking, and typing features
 
 - Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
 - Pen gestures (click, double click, pan, zoom, or rotate)
 - Palm Touch x,y coordinates
 - Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
-- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text of speech recognition results -- result codes and recognized text
+- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text of speech recognition results - result codes and recognized text
 - Language and model of the recognizer and the System Speech language
 - App ID using speech features
 - Whether user is known to be a child
@@ -496,9 +496,9 @@ Use of the specified data categories give recommendations about Microsoft produc
 
 ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell**
 
-Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
+Implies that the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
 
-Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
+Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service that is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
 
 ### Promote
 
@@ -508,7 +508,7 @@ Use of the specified data categories to promote a product or service in or on a
 
 ### Data identification qualifiers
 
-Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
+Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference:
 
 - **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
 - **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index ab00e42eba..1998bdf279 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -33,6 +33,7 @@
     "externalReference": [],
     "globalMetadata": {
       "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+      "uhfHeaderId": "MSDocsHeader-M365-IT",
       "ms.topic": "article",
       "manager": "dansimp",
       "audience": "ITPro",
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 61198672fc..5e7db538d0 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -3368,9 +3368,9 @@ This security group has not changed since Windows Server 2008.
 
 ### Server Operators
 
-Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
+Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
 
-By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
+By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
 
 The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 742dd80951..1d0b90717a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -160,7 +160,7 @@ You can view System Information to check that Windows Defender Credential Guard
 
 2.  Click **System Summary**.
 
-3.  Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
+3.  Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
 
     Here's an example:
 
diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png
index d9af0e8fc4..46f838c8d2 100644
Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png differ
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 73e002c7c2..5a790c046a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -57,9 +57,6 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 > **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
-> [!NOTE]
-> Microsoft is actively investigating ways to reduce the synchronization latency and delays.  
-
 

      
 
 
      
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 4bf706bbbc..824c20a5f1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -26,9 +26,9 @@ Debugging and tracing smart card issues requires a variety of tools and approach
 
 -   [Certutil](#certutil)
 
--   [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
+-   [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
 
--   [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+-   [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
 
 -   [Smart Card service](#smart-card-service)
 
@@ -42,22 +42,22 @@ For a complete description of Certutil including examples that show how to use i
 
 ### List certificates available on the smart card
 
-To list certificates that are available on the smart card, type certutil -scinfo.
+To list certificates that are available on the smart card, type `certutil -scinfo`.
 
 > [!NOTE]
 > Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
 
 ### Delete certificates on the smart card
 
-Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
+Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
 
-To find the container value, type certutil -scinfo.
+To find the container value, type `certutil -scinfo`.
 
 To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
 
 ## Debugging and tracing using WPP
 
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
 
 ### Enable the trace
 
@@ -65,21 +65,21 @@ Using WPP, use one of the following commands to enable tracing:
 
 - **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
 
-- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000*
+- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000**
 
 You can use the parameters in the following table.
 
 | Friendly name | GUID           | Flags |
 |-------------------|--------------------------------------|-----------|
-| scardsvr          | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff    |
-| winscard          | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff    |
-| basecsp           | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
-| scksp             | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
-| msclmd            | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7       |
-| credprov          | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff    |
-| certprop          | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff    |
-| scfilter          | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff    |
-| wudfusbccid       | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff    |
+| `scardsvr`          | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff    |
+| `winscard`          | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff    |
+| `basecsp`           | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
+| `scksp`             | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7       |
+| `msclmd`            | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7       |
+| `credprov`          | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff    |
+| `certprop`          | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff    |
+| `scfilter`          | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff    |
+| `wudfusbccid`       | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff    |
 
 Examples
 
@@ -109,7 +109,7 @@ To stop a trace:
 
 -   **logman -stop scardsvr -ets**
 
-## Kerberos protocol, KDC and NTLM debugging and tracing
+## Kerberos protocol, KDC, and NTLM debugging and tracing
 
 
 
@@ -119,11 +119,11 @@ You can use these resources to troubleshoot these protocols and the KDC:
 
 -   [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit).  You can use the trace log tool in this SDK to debug Kerberos authentication failures.
 
-To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
 
 ### NTLM
 
-To enable tracing for NTLM authentication, run the following at the command line:
+To enable tracing for NTLM authentication, run the following command on the command line:
 
  - **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
 
@@ -143,11 +143,11 @@ To stop tracing for Kerberos authentication, run this command:
 
 ### KDC
 
-To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
+To enable tracing for the KDC, run the following command on the command line:
 
  - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
 
-To stop tracing for the KDC, run the following at the command line:
+To stop tracing for the KDC, run the following command on the command line:
 
  - **tracelog.exe -stop kdc**
 
@@ -166,7 +166,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
 | Kerberos    | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
      Value name: LogToFile
      Value type: DWORD
      Value data: 00000001

      HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
      Value name: KerbDebugLevel
      Value type: DWORD
      Value data: c0000043

      HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
      Value name: LogToFile
      Value type: DWORD
      Value data: 00000001 |
 | KDC         | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
      Value name: KdcDebugLevel
      Value type: DWORD
      Value data: c0000803                  |
 
-If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
 
 If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
 
@@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the
 
 -   KDC: %systemroot%\\tracing\\kdcsvc 
 
-To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx).
 
 ## Smart Card service
 
@@ -184,11 +184,11 @@ The smart card resource manager service runs in the context of a local service.
 
 **To check if Smart Card service is running**
 
-1.  Press CTRL+ALT+DEL, and then click **Start Task Manager**.
+1.  Press CTRL+ALT+DEL, and then select **Start Task Manager**.
 
-2.  In the **Windows Task Manager** dialog box, click the **Services** tab.
+2.  In the **Windows Task Manager** dialog box, select the **Services** tab.
 
-3.  Click the **Name** column to sort the list alphabetically, and then type **s**.
+3.  Select the **Name** column to sort the list alphabetically, and then type **s**.
 
 4.  In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
 
@@ -196,15 +196,15 @@ The smart card resource manager service runs in the context of a local service.
 
 1.  Run as administrator at the command prompt.
 
-2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
 
-3.  At the command prompt, type **net stop SCardSvr**.
+3.  At the command prompt, type `net stop SCardSvr`.
 
-4.  At the command prompt, type **net start SCardSvr**.
+4.  At the command prompt, type `net start SCardSvr`.
 
-You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
+You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
 
-This is an example output from this command:
+The following code sample is an example output from this command:
 
 ```console
 SERVICE_NAME: scardsvr
@@ -228,14 +228,14 @@ As with any device connected to a computer, Device Manager can be used to view p
 
 1.  Navigate to **Computer**.
 
-2.  Right-click **Computer**, and then click **Properties**.
+2.  Right-click **Computer**, and then select **Properties**.
 
-3.  Under **Tasks**, click **Device Manager**.
+3.  Under **Tasks**, select **Device Manager**.
 
-4.  In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
+4.  In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
 
 > [!NOTE]
-> If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
 
 ## CryptoAPI 2.0 Diagnostics
 
diff --git a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png
index bf551eabb7..8098b3445e 100644
Binary files a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png and b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png
index 94cbb2c5cb..c6437e95d1 100644
Binary files a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png and b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png differ
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index fc09e68a62..9aee353de2 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -74,10 +74,12 @@ Two client-side configuration service providers are leveraged for VPN device com
    - Collects TPM data used to verify health states
    - Forwards the data to the Health Attestation Service (HAS)
    - Provisions the Health Attestation Certificate received from the HAS
-   - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
+   - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
    
 > [!NOTE]
-> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources. 
+> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.
+> 
+> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
 
 ## Client connection flow
 
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 92c4d2b8c5..d825487b05 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: dulcemontemayor
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -61,11 +61,11 @@ There are a number of Universal Windows Platform VPN applications, such as Pulse
 
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 
-The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
+The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
 
 ![Available connection types](images/vpn-connection-intune.png)
      
-In Intune, you can also include custom XML for third-party plug-in profiles.
+In Intune, you can also include custom XML for third-party plug-in profiles:
 
 ![Custom XML](images/vpn-custom-xml-intune.png)
 
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index cb543ad1cd..ae26cfc95a 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 author: dulcemontemayor
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/13/2020
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -20,12 +20,12 @@ ms.author: dansimp
 - Windows 10
 - Windows 10 Mobile
 
-This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
 
-![Intune VPN policy template](images/vpn-intune-policy.png)
+To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-windows-10).
 
->[!NOTE]
->This guide does not explain server deployment.  
+> [!NOTE]
+> This guide does not explain server deployment.
 
 ## In this guide
 
@@ -43,7 +43,5 @@ This guide will walk you through the decisions you will make for Windows 10 clie
 
 ## Learn more
 
-- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
-
-
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
 
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 19df534358..077c2d4c8f 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -34,7 +34,6 @@ The following table lists the VPN settings and whether the setting can be config
 | Routing: forced-tunnel | yes |
 | Authentication (EAP) | yes, if connection type is built-in |
 | Conditional access | yes |
-| Proxy settings | yes, by PAC/WPAD file or server and port |
 | Name resolution: NRPT | yes |
 | Name resolution: DNS suffix | no |
 | Name resolution: persistent | no |
@@ -45,6 +44,10 @@ The following table lists the VPN settings and whether the setting can be config
 | LockDown | no |
 | Windows Information Protection (WIP) | yes |
 | Traffic filters | yes |
+| Proxy settings | yes, by PAC/WPAD file or server and port |
+
+> [!NOTE] 
+> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used.
 
 The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
 
@@ -316,7 +319,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
 
 ## Learn more
 
-- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
 - [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
 - [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
 
diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
index 246c89eb92..542eec5756 100644
--- a/windows/security/includes/machineactionsnote.md
+++ b/windows/security/includes/machineactionsnote.md
@@ -1,6 +1,6 @@
 ---
-title: Perform a Machine Action via the Microsoft Defender ATP API
-description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API.
+title: Perform a Machine Action via the Microsoft Defender for Endpoint API
+description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API.
 ms.date: 08/28/2017
 ms.reviewer: 
 manager: dansimp
@@ -10,4 +10,4 @@ ms.prod: w10
 ---
 
 >[!Note]
-> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.
+> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender for Endpoint.
diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md
index a83544340f..a008aa45d7 100644
--- a/windows/security/includes/prerelease.md
+++ b/windows/security/includes/prerelease.md
@@ -1,6 +1,6 @@
 ---
-title: Microsoft Defender ATP Pre-release Disclaimer
-description: Disclaimer for pre-release version of Microsoft Defender ATP.
+title: Microsoft Defender for Endpoint Pre-release Disclaimer
+description: Disclaimer for pre-release version of Microsoft Defender for Endpoint.
 ms.date: 08/28/2017
 ms.reviewer: 
 manager: dansimp
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index d6bad09f03..c248a61b46 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -29,16 +29,16 @@ ms.custom: bitlocker
 Stored information | Description
 -------------------|------------
 Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
-BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
-BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde. 
+BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
+BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. 
 
 ## What if BitLocker is enabled on a computer before the computer has joined the domain?
 
-If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
 
 For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 
-The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
 
 ```PowerShell
 $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
@@ -61,13 +61,13 @@ Ultimately, determining whether a legitimate backup exists in AD DS requires qu
 
 No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
 
-## What happens if the backup initially fails? Will BitLocker retry the backup?
+## What happens if the backup initially fails? Will BitLocker retry it?
 
 If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
 
-When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
 
 For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index dc0d879c78..8ad995065c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,6 +1,6 @@
 ---
 title: BitLocker basic deployment (Windows 10)
-description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
 ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
 ms.reviewer: 
 ms.prod: w10
@@ -24,7 +24,7 @@ ms.custom: bitlocker
 
 -   Windows 10
 
-This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
 
 ## Using BitLocker to encrypt volumes
 
@@ -39,12 +39,12 @@ BitLocker encryption can be done using the following methods:
 
 -   BitLocker control panel
 -   Windows Explorer
--   manage-bde command line interface
+-   manage-bde command-line interface
 -   BitLocker Windows PowerShell cmdlets
 
 ### Encrypting volumes using the BitLocker control panel
 
-Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
 To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
 
 ### Operating system volume
@@ -54,7 +54,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
 |Requirement|Description|
 |--- |--- |
 |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
-|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
+|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
 |Hardware TPM|TPM version 1.2 or 2.0. 
       A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
 |BIOS configuration|
    •  A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
      •  
    •  The boot order must be set to start first from the hard disk, and not the USB or CD drives.
      •   
    •  The firmware must be able to read from a USB flash drive during startup.
      • |
 |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive. 
       For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. 
       For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
@@ -75,11 +75,11 @@ It is recommended that drives with little to no data utilize the **used disk spa
 > [!NOTE]
 > Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
 
-Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
 
 After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
 
-Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off.
+Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
 
 ### Data volume
 
@@ -97,12 +97,12 @@ Encryption status displays in the notification area or within the BitLocker cont
 
 There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
 
-Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
+Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
 they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
 
 ### Using BitLocker within Windows Explorer
 
-Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
+Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
 
 ## Down-level compatibility
 
@@ -118,13 +118,13 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
 |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
 |Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
 
-## Encrypting volumes using the manage-bde command line interface
+## Encrypting volumes using the manage-bde command-line interface
 
 Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
-Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
 
-Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
+Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
 
 ### Operating system volume
 
@@ -136,7 +136,7 @@ A good practice when using manage-bde is to determine the volume status on the t
 
 `manage-bde -status`
 
-This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
+This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
 
 **Enabling BitLocker without a TPM**
 
@@ -149,29 +149,29 @@ manage-bde -on C:
 
 **Enabling BitLocker with a TPM only**
 
-It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
 
 `manage-bde -on C:`
 
-This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
+This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
 
 `manage-bde -protectors -get `
 
 **Provisioning BitLocker with two protectors**
 
-Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
+Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Use this command:
 
 `manage-bde -protectors -add C: -pw -sid `
 
-This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
+This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
 
 ### Data volume
 
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
 
 **Enabling BitLocker with a password**
 
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
 
 ```powershell
 manage-bde -protectors -add -pw C:
@@ -322,7 +322,7 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
 Get-BitLockerVolume C: | fl
 ```
 
-If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this task requires the GUID associated with the protector to be removed.
 A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
 
 ```powershell
@@ -330,7 +330,7 @@ $vol = Get-BitLockerVolume
 $keyprotectors = $vol.KeyProtector
 ```
 
-Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
+Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
 Using this information, we can then remove the key protector for a specific volume using the command:
 
 ```powershell
@@ -343,7 +343,8 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
 ### Operating system volume
 
 Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
-To enable BitLocker with just the TPM protector. This can be done using the command:
+
+To enable BitLocker with just the TPM protector, use this command:
 
 ```powershell
 Enable-BitLocker C:
@@ -357,7 +358,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath  -SkipHardwareTes
 
 ### Data volume
 
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
 
 ```powershell
 $pw = Read-Host -AsSecureString
@@ -365,14 +366,14 @@ $pw = Read-Host -AsSecureString
 Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 ```
 
-### Using a SID based protector in Windows PowerShell
+### Using a SID-based protector in Windows PowerShell
 
-The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
+The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster.
 
 > [!WARNING]
 > The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
 
-To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
 
 ```powershell
 Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
@@ -389,7 +390,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
 >
 > **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
 
-In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
+In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
 
 ```powershell
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
@@ -400,7 +401,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "
 
 ##  Checking BitLocker status
 
-To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
 
 ### Checking BitLocker status with the control panel
 
@@ -421,7 +422,7 @@ Once BitLocker protector activation is completed, the completion notice is displ
 
 ### Checking BitLocker status with manage-bde
 
-Administrators who prefer a command line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
+Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
 
 To check the status of a volume using manage-bde, use the following command:
 
@@ -446,7 +447,7 @@ This command will display information about the encryption method, volume type,
 
 ### Provisioning BitLocker during operating system deployment
 
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This task is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
 
 ### Decrypting BitLocker volumes
 
@@ -461,9 +462,9 @@ The control panel does not report decryption progress but displays it in the not
 
 Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
 
-### Decrypting volumes using the manage-bde command line interface
+### Decrypting volumes using the manage-bde command-line interface
 
-Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
+Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
 
 ```powershell
 manage-bde -off C:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index ea8ab3bf7a..064a82cf8e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -37,7 +37,7 @@ Generally it imposes a single-digit percentage performance overhead.
 
 ## How long will initial encryption take when BitLocker is turned on?
 
-Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
+Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
 
 You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
 
@@ -82,11 +82,11 @@ The TPM is not involved in any recovery scenarios, so recovery is still possible
 
 ## What can prevent BitLocker from binding to PCR 7?
 
-This happens if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
+BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
 
 ## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
 
-Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
+Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
 
 ## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 131a256f82..551b239d72 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -62,7 +62,7 @@ A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant B
 The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
 
 > [!IMPORTANT]
-> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/).
+> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
 
 > [!NOTE]
 > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
@@ -74,6 +74,8 @@ The hard disk must be partitioned with at least two drives:
 -   The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
 -   The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
 
+A fixed data volume or removable data volume cannot be marked as an active partition.
+
 When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
 
 When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
@@ -98,4 +100,3 @@ When installing the BitLocker optional component on a server you will also need
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
 | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
 
-
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index f31dcd8374..4f3681db63 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,6 +1,6 @@
 ---
 title: BitLocker recovery guide (Windows 10)
-description: This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
 ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
 ms.reviewer: 
 ms.prod: w10
@@ -24,7 +24,7 @@ ms.custom: bitlocker
 
 - Windows 10
 
-This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+This article for IT professionals describes how to recover BitLocker keys from AD DS.
 
 Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
 
@@ -46,11 +46,11 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
 
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
 - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
 - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
 - Failing to boot from a network drive before booting from the hard drive.
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
+- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
 - Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
 - Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
 - Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
@@ -64,7 +64,7 @@ The following list provides examples of specific events that will cause BitLocke
 - Changes to the master boot record on the disk.
 - Changes to the boot manager on the disk.
 - Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
-- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
+- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
 - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
 
     > [!NOTE]
@@ -93,25 +93,25 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av
 > [!NOTE]
 > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
 
-If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
+If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
 
 Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
 
 
 ## Testing recovery
 
-Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
+Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
 
 **To force a recovery for the local computer:**
 
-1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
-2. At the command prompt, type the following command and then press ENTER:
+1. Select the **Start** button, type *cmd* in the **Start Search** box, right-click **cmd.exe**, and then select **Run as administrator**.
+2. At the command prompt, type the following command and then press **Enter**:
     `manage-bde -forcerecovery `
 
 
 **To force recovery for a remote computer:**
 
-1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
+1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**.
 2. At the command prompt, type the following command and then press ENTER:
     `manage-bde -ComputerName  -forcerecovery `
 
@@ -125,7 +125,7 @@ When planning the BitLocker recovery process, first consult your organization's
 
 Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
 
-After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
+After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.
 
 When you determine your recovery process, you should:
 
@@ -141,12 +141,12 @@ When you determine your recovery process, you should:
 
 ### Self-recovery
 
-In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
+In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag, then it's easy for an unauthorized user to access the PC. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
 
 
 ### Recovery password retrieval
 
-If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
+If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default. You must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
 
 - **Choose how BitLocker-protected operating system drives can be recovered**
 - **Choose how BitLocker-protected fixed drives can be recovered**
@@ -176,7 +176,7 @@ You can use the name of the user's computer to locate the recovery password in A
 
 ### Verify the user's identity
 
-You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user.
+Verify that the person that is asking for the recovery password is truly the authorized user of that computer. You might also want to verify that the computer with the name the user provided belongs to the user.
 
 
 ### Locate the recovery password in AD DS
@@ -200,7 +200,7 @@ Before you give the user the recovery password, you should gather any informatio
 
 ### Give the user the recovery password
 
-Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
+Because the recovery password is 48 digits long, the user might need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
 
 > [!NOTE]
 > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
@@ -228,11 +228,11 @@ Review and answer the following questions for your organization:
 1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
 3. If TPM mode was in effect, was recovery caused by a boot file change?
-4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
+4. If recovery was caused by a boot file change, was the change an intended user action (for example, BIOS upgrade), or was it caused by malicious software?
 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
 
-To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.
+To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if the boot file changed). Both of these capabilities can be performed remotely.
 
 
 ### Resolve the root cause
@@ -257,9 +257,9 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on
 
 1. Unlock the computer using the recovery password.
 2. Reset the PIN:
-    1. Right-click the drive and then click **Change PIN**.
-    2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
-    3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
+    1. Right-click the drive and then select **Change PIN**.
+    2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, provide administrative credentials at this time.
+    3. In the PIN reset dialog, provide and confirm the new PIN to use and then select **Finish**.
 3. You will use the new PIN the next time you unlock the drive.
 
 
@@ -271,17 +271,17 @@ If you have lost the USB flash drive that contains the startup key, then you mus
 
 1. Log on as an administrator to the computer that has the lost startup key.
 2. Open Manage BitLocker.
-3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
+3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then select **Save**.
 
 
 ### Changes to boot files
 
-This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
+This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time.
 
 
 ## Windows RE and BitLocker Device Encryption
 
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
 
 
 ## BitLocker recovery screen
@@ -307,7 +307,7 @@ Example of customized recovery screen:
 
 ### BitLocker recovery key hints
 
-BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
 
 ![Customized BitLocker recovery screen](./images/bl-password-hint2.png)
 
@@ -337,7 +337,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 |     Printed          |     No     |
 |     Saved to file    |     No     |
 
-**Result:** The hint for the Microsoft Account and custom URL are displayed.
+**Result:** The hint for the Microsoft Account and the custom URL are displayed.
 
 ![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG)
 
@@ -378,7 +378,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
 |     Saved to Azure AD     |     No          |
-|     Saved to Acive Directory      |     No          |
+|     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     Yes         |
 |     Creation time    |     **1PM**     |
@@ -444,17 +444,17 @@ If the recovery methods discussed earlier in this document do not unlock the vol
 > [!NOTE]
 > You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
 
-The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
+The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS, you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details about how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
 
 
 ## Resetting recovery passwords
 
-You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
+Invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
 
 You can reset the recovery password in two ways:
 
-- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
+- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
+- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
 
 **To reset a recovery password using manage-bde:**
 
@@ -470,13 +470,13 @@ You can reset the recovery password in two ways:
     Manage-bde –protectors –add C: -RecoveryPassword
     ```
 
-3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
+3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
 
     ```powershell
     Manage-bde –protectors –get C: -Type RecoveryPassword
     ```
 
-4. Backup the new recovery password to AD DS
+4. Back up the new recovery password to AD DS.
 
     ```powershell
     Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
@@ -488,7 +488,7 @@ You can reset the recovery password in two ways:
 **To run the sample recovery password script:**
 
 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
-2. At the command prompt, type a command similar to the following:
+2. At the command prompt, type a command similar to the following sample script:
 
     **cscript ResetPassword.vbs**
 
@@ -576,15 +576,15 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re
 
 You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
 
-- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
+- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
 - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
 
-The following sample script exports all previously-saved key packages from AD DS.
+The following sample script exports all previously saved key packages from AD DS.
 
 **To run the sample key package retrieval script:**
 
 1.  Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
-2.  At the command prompt, type a command similar to the following:
+2.  At the command prompt, type a command similar to the following sample script:
 
     **cscript GetBitLockerKeyPackageADDS.vbs -?**
 
@@ -733,7 +733,7 @@ The following sample script exports a new key package from an unlocked, encrypte
 **To run the sample key package retrieval script:**
 
 1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs
-2. Open an administrator command prompt, type a command similar to the following:
+2. Open an administrator command prompt, and then type a command similar to the following sample script:
 
     **cscript GetBitLockerKeyPackage.vbs  -?**
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
index f06b11a197..9ed6f0f984 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: #medium
+ms.localizationpriority: medium
 ms.author: v-maave
 author: martyav
 manager: dansimp
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index c34ddf46f1..871f49b5a8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -1,6 +1,6 @@
 ---
 title: BitLocker To Go FAQ (Windows 10)
-description: Learn more about BitLocker To Go — BitLocker drive encryption for removable drives.
+description: "Learn more about BitLocker To Go: BitLocker drive encryption for removable drives."
 ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
 ms.reviewer: 
 ms.author: dansimp
@@ -25,7 +25,14 @@ ms.custom: bitlocker
 
 ## What is BitLocker To Go?
 
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of: 
 
-As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel. 
+- USB flash drives
+- SD cards
+- External hard disk drives
+- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. 
+ 
+Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+
+As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**. 
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index bf20c5efdd..793722ef06 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -1,6 +1,6 @@
 ---
 title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
-description: This topic for the IT professional describes how to use tools to manage BitLocker.
+description: This article for the IT professional describes how to use tools to manage BitLocker.
 ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
 ms.reviewer: 
 ms.prod: w10
@@ -23,9 +23,9 @@ ms.custom: bitlocker
 **Applies to**
 -   Windows 10
 
-This topic for the IT professional describes how to use tools to manage BitLocker.
+This article for the IT professional describes how to use tools to manage BitLocker.
 
-BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
+BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
 
 Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
 
@@ -39,11 +39,11 @@ Repair-bde is a special circumstance tool that is provided for disaster recovery
 
 Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference.
 
-Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
+Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
 
 ### Using manage-bde with operating system volumes
 
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume.
 
 A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
 
@@ -54,7 +54,7 @@ This command returns the volumes on the target, current encryption status, encry
 
 ![Using manage-bde to check encryption status](images/manage-bde-status.png)
 
-The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
+The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
 
 ```powershell
 manage-bde –protectors -add C: -startupkey E:
@@ -63,30 +63,30 @@ manage-bde -on C:
 
 >**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
  
-An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:
+An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
 
 ```powershell
 manage-bde -protectors -add C: -pw -sid 
 ```
 
-This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on.
+This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker.
 
-On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command:
 
 ```powershell
 manage-bde -on C:
 ```
 
-This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
+This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
 
 ```powershell
  manage-bde -protectors -get 
 ```
 ### Using manage-bde with data volumes
 
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
 
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
 
 ```powershell
 manage-bde -protectors -add -pw C:
@@ -101,11 +101,11 @@ The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a
 
 >**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
  
-The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true:
+The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
 
-1.  You have encrypted the drive by using BitLocker Drive Encryption.
-2.  Windows does not start, or you cannot start the BitLocker recovery console.
-3.  You do not have a copy of the data that is contained on the encrypted drive.
+- You have encrypted the drive by using BitLocker Drive Encryption.
+- Windows does not start, or you cannot start the BitLocker recovery console.
+- You do not have a copy of the data that is contained on the encrypted drive.
 
 >**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
  
@@ -249,7 +249,7 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
  
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
 A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet.
-The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status and other details.
+The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details.
 
 >**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
 `Get-BitLockerVolume C: | fl`
@@ -263,9 +263,9 @@ $vol = Get-BitLockerVolume
 $keyprotectors = $vol.KeyProtector
 ```
 
-Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
+By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
 
-Using this information, you can then remove the key protector for a specific volume using the command:
+By using this information, you can then remove the key protector for a specific volume using the command:
 
 ```powershell
 Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
@@ -291,8 +291,8 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath  -SkipHardwareTes
 
 ### Using the BitLocker Windows PowerShell cmdlets with data volumes
 
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
-SecureString value to store the user defined password.
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
+SecureString value to store the user-defined password.
 
 ```powershell
 $pw = Read-Host -AsSecureString
@@ -301,11 +301,11 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 ```
 ### Using an AD Account or Group protector in Windows PowerShell
 
-The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster.
+The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
 
 >**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
  
-To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
 
 ```powershell
 Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index ac4286c885..e71fba3cbd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -37,7 +37,7 @@ BitLocker has a storage driver stack that ensures memory dumps are encrypted whe
 
 ## Can BitLocker support smart cards for pre-boot authentication?
 
-BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
+BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
 
 ## Can I use a non-Microsoft TPM driver?
 
@@ -69,7 +69,7 @@ The **Save to USB** option is not shown by default for removable drives. If the
 
 ## Why am I unable to automatically unlock my drive?
 
-Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
+Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
 
 ## Can I use BitLocker in Safe Mode?
 
@@ -95,8 +95,8 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
 ## Does BitLocker support virtual hard disks (VHDs)?
 
 BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
-- With TPM - Yes it is supported
-- Without  TPM - Yes it is supported (with password protector)
+- With TPM: Yes, it is supported.
+- Without  TPM: Yes, it is supported (with password protector).
 
 BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
 
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index ac7c00f8b6..01a07590a5 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -1,6 +1,6 @@
 ---
 title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
-description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
 ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092
 ms.reviewer: 
 ms.prod: w10
@@ -23,7 +23,7 @@ ms.custom: bitlocker
 **Applies to**
 -   Windows Server 2016
 
-This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+This article for IT pros describes how to protect CSVs and SANs with BitLocker.
 
 BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume.
 
@@ -38,15 +38,15 @@ BitLocker on volumes within a cluster are managed based on how the cluster servi
 Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on 
 BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
 
-Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
+Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
 
 >**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
  
-For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
+For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This action is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
 
 ### Active Directory-based protector
 
-You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
+You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
 
 1.  Clear key
 2.  Driver-based auto-unlock key
@@ -61,7 +61,7 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote
  
 ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
 
-BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following:
+BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster:
 
 1.  Install the BitLocker Drive Encryption feature if it is not already installed.
 2.  Ensure the disk is formatted NTFS and has a drive letter assigned to it.
@@ -84,7 +84,7 @@ BitLocker encryption is available for disks before or after addition to a cluste
 
 ### Turning on BitLocker for a clustered disk using Windows PowerShell
 
-When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk:
+When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning on BitLocker for a clustered disk:
 
 1.  Install the BitLocker Drive Encryption feature if it is not already installed.
 2.  Check the status of the cluster disk using Windows PowerShell.
@@ -122,11 +122,11 @@ When the cluster service owns a disk resource already, it needs to be set into m
 
 ### Adding BitLocker encrypted volumes to a cluster using manage-bde
 
-You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following:
+You can also use manage-bde to enable BitLocker on clustered volumes. Follow these steps to add a physical disk resource or CSV2.0 volume to an existing cluster:
 
 1.  Verify the BitLocker Drive Encryption feature is installed on the computer.
 2.  Ensure new storage is formatted as NTFS.
-3.  Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example):
+3.  Encrypt the volume, add a recovery key, and add the cluster administrator as a protector key by using the manage-bde command-line interface (see example):
 
     -   `Manage-bde -on -used  -RP -sid domain\CNO$ -sync`
 
@@ -135,16 +135,17 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps
 
 4.  Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered
 
-    -   Once the disk is clustered it can also be enabled for CSV.
+    -   Once the disk is clustered, it can also be enabled for CSV.
 
 5.  During the resource online operation, cluster will check to see if the disk is BitLocker encrypted.
 
     1.  If the volume is not BitLocker enabled, traditional cluster online operations occur.
     2.  If the volume is BitLocker enabled, the following check occurs:
 
-        -   If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail.
+        -   If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails, an event will be logged that the volume could not be unlocked and the online operation will fail.
+
+6.  Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing **Add to cluster shared volumes**.
 
-6.  Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**".
 CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below.
 
 ```powershell
@@ -153,11 +154,11 @@ manage-bde -status "C:\ClusterStorage\volume1"
 
 ### Physical Disk Resources
 
-Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
+Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. So operations such as encrypting, decrypting, locking, or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
 
 ### Restrictions on BitLocker actions with cluster volumes
 
-The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
+The following table contains information about both Physical Disk Resources (that is, traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
 
 @@ -268,7 +269,7 @@ In the case where a physical disk resource experiences a failover event during c
 
 ### Other considerations when using BitLocker on CSV2.0
 
-Some other considerations to take into account for BitLocker on clustered storage include the following:
+Also take these considerations into account for BitLocker on clustered storage:
 -   BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume.
 -   If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
 -   If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode.
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
index 84ea720232..e72f8d6c68 100644
--- a/windows/security/information-protection/index.md
+++ b/windows/security/information-protection/index.md
@@ -1,6 +1,6 @@
 ---
 title: Information protection (Windows 10)
-description: Learn more about how to protect sesnsitive data across your ogranization.
+description: Learn more about how to protect sensitive data across your organization.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 017eb64762..d3ff0fb615 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -84,7 +84,7 @@ These requirements help protect you from rootkits while allowing you to run any
 -  **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
 -  **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
 
-To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx).
+To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
 
 Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems.
 
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index c2913b23a2..b7380c9640 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -8,7 +8,7 @@
 ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
 ### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
 ### [Portal overview](microsoft-defender-atp/portal-overview.md)
-### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
+### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/gov.md)
 ### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md)
 
 ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
@@ -65,6 +65,7 @@
 ##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
 ##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
 ##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
+##### [Mitigate zero-day vulnerabilities](microsoft-defender-atp/tvm-zero-day-vulnerabilities.md)
 #### [Understand vulnerabilities on your devices]()
 ##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
 ##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
@@ -161,7 +162,7 @@
 ###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
 ###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
    
-##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
+##### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
    
 ##### [Antivirus compatibility]()
 ###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
@@ -179,29 +180,29 @@
 ##### [Deploy, manage updates, and report on antivirus]()
 ###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
 ###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
-####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
+###### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
    
 ###### [Report on antivirus protection]()
-####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
-####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
+###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
+###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
    
 ###### [Manage updates and apply baselines]()
-####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
-####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
-####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
-####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
-####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
-####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+###### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
+###### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
    
 ##### [Customize, initiate, and review the results of scans and remediation]()
 ###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
    
 ###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
+###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+###### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
 ###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
 ###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
 ###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
@@ -215,10 +216,10 @@
 ###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
    
 ###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
    
 ###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
 
@@ -230,7 +231,7 @@
 ###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
 ###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
    
-#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
+#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
 #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
 
 
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 69a9d636c7..3b223b9331 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -37,9 +37,9 @@ There are no system access control lists (SACLs) for shared folders. If this pol
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | Yes             | No               | Yes              | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.
      We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer.                                                                                                                                                                                                                                                                                                                                                                                              |
-| Member Server     | IF              | Yes             | IF               | Yes              | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
      The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
-| Workstation       | IF              | Yes             | IF               | Yes              | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
      The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer.                                                                                   |
+| Domain Controller | No              | Yes             | No               | Yes              | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.
      We recommend monitoring Failure access attempts: the volume should not be high. You will be able to see who was not able to get access to a file or folder on a network share on a computer.                                                                                                                                                                                                                                                                                                                                                                                              |
+| Member Server     | IF              | Yes             | IF               | Yes              | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
      The volume of Failure events for member servers should not be high (if they are not File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
+| Workstation       | IF              | Yes             | IF               | Yes              | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
      The volume of Failure events for workstations should not be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer.                                                                                   |
 
 **Events List:**
 
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index e9047b6c8a..5775f97220 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -1,6 +1,6 @@
 ---
 title: Audit Group Membership (Windows 10)
-description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC.
+description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
 ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
 ms.reviewer: 
 manager: dansimp
@@ -20,8 +20,7 @@ ms.date: 04/19/2017
 -   Windows 10
 -   Windows Server 2016
 
-
-Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer.
+By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.
 
 This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
 
@@ -33,15 +32,15 @@ Multiple events are generated if the group membership information cannot fit in
 
 **Event volume**:
 
--   Low on a client computer.
+- Low on a client computer.
 
--   Medium on a domain controller or network servers.
+- Medium on a domain controller or network servers.
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
      For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
      For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
      For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes             | No              | Yes              | No               | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
      For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
      This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
+| Member Server     | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
      For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
      This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
+| Workstation       | Yes             | No              | Yes              | No               | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
      For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
      This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
 
 **Events List:**
 
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index c4d6606795..011a5d397c 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -23,7 +23,7 @@ ms.date: 07/16/2018
 
 Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
 
-These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
+These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to.
 
 There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
 
@@ -31,13 +31,13 @@ Logon events are essential to understanding user activity and detecting potentia
 
 **Event volume**: High.
 
-This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
+This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to.
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
      Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
      Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
      Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
      Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server     | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
      Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation       | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
      Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
      This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 
 **Events List:**
 
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index f1227802bd..b75e993891 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -1,6 +1,6 @@
 ---
-title: Audit Non Sensitive Privilege Use (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
+title: Audit Non-Sensitive Privilege Use (Windows 10)
+description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
 ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
 ms.reviewer: 
 manager: dansimp
@@ -14,14 +14,14 @@ author: dansimp
 ms.date: 04/19/2017
 ---
 
-# Audit Non Sensitive Privilege Use
+# Audit Non-Sensitive Privilege Use
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
 
-Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
+Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
 
 -   Access Credential Manager as a trusted caller
 
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 74c7755cb8..bea0be45b0 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -1,6 +1,6 @@
 ---
 title: Audit User/Device Claims (Windows 10)
-description: Audit User/Device Claims is an audit policy setting which enables you to audit security events that are generated by user and device claims.
+description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
 ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
 ms.reviewer: 
 manager: dansimp
@@ -25,7 +25,7 @@ Audit User/Device Claims allows you to audit user and device claims information
 
 For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
 
-***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory.
+***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
 
 **Event volume**:
 
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index e00e49b666..bd4e2bb72a 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -13,7 +13,7 @@ manager: dansimp
 ms.author: dansimp
 ---
 
-# 1105(S): Event log automatic backup.
+# 1105(S): Event log automatic backup
 
 **Applies to**
 -   Windows 10
@@ -71,7 +71,7 @@ This event generates, for example, if the maximum size of Security Event Log fil
 
 ***Field Descriptions:***
 
-**Log** \[Type = UnicodeString\]: the name of the log which was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
+**Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
 
 **File**: \[Type = FILETIME\]: full path and filename of archived log file.
 
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index 9dcc575df1..4155868172 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -32,7 +32,7 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
 
 -   Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
 
--   If a field doesn’t match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
+-   If a field doesn’t match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
 
 -   **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
 
@@ -98,5 +98,5 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
 
 For 4618(S): A monitored security event pattern has occurred.
 
--   This event can be invoked only manually/intentionally, it is up to you how interpret this event depends on information you put inside of it.
+-   This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it.
 
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 220876b84a..293e52c57f 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -99,7 +99,7 @@ This event generates on domain controllers, member servers, and workstations.
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
 
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+-   **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats:
 
     -   Domain NETBIOS name example: CONTOSO
 
@@ -111,7 +111,7 @@ This event generates on domain controllers, member servers, and workstations.
 
     -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
 
--   **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+-   **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
 
 
     **Table 11: Windows Logon Types**
@@ -138,7 +138,7 @@ This event generates on domain controllers, member servers, and workstations.
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
 
--   **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+-   **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats:
 
     -   Domain NETBIOS name example: CONTOSO
 
@@ -154,9 +154,9 @@ This event generates on domain controllers, member servers, and workstations.
 
 **Failure Information:**
 
--   **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
+-   **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
 
--   **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
+-   **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
 
     **Table 12: Windows logon status codes.**
 
@@ -165,7 +165,7 @@ This event generates on domain controllers, member servers, and workstations.
     | 0XC000005E              | There are currently no logon servers available to service the logon request.                         |
     | 0xC0000064              | User logon with misspelled or bad user account                                                       |
     | 0xC000006A              | User logon with misspelled or bad password                                                           |
-    | 0XC000006D              | This is either due to a bad username or authentication information                                   |
+    | 0XC000006D              | The cause is either a bad username or authentication information                                   |
     | 0XC000006E              | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).     |
     | 0xC000006F              | User logon outside authorized hours                                                                  |
     | 0xC0000070              | User logon from unauthorized workstation                                                             |
@@ -173,23 +173,23 @@ This event generates on domain controllers, member servers, and workstations.
     | 0xC0000072              | User logon to account disabled by administrator                                                      |
     | 0XC00000DC              | Indicates the Sam Server was in the wrong state to perform the desired operation.                    |
     | 0XC0000133              | Clocks between DC and other computer too far out of sync                                             |
-    | 0XC000015B              | The user has not been granted the requested logon type (aka logon right) at this machine             |
+    | 0XC000015B              | The user has not been granted the requested logon type (also called the *logon right*) at this machine             |
     | 0XC000018C              | The logon request failed because the trust relationship between the primary domain and the trusted domain failed.      |
-    | 0XC0000192              | An attempt was made to logon, but the N**etlogon** service was not started.                                            |
+    | 0XC0000192              | An attempt was made to logon, but the **Netlogon** service was not started.                                            |
     | 0xC0000193              | User logon with expired account                                                                      |
     | 0XC0000224              | User is required to change password at next logon                                                    |
     | 0XC0000225              | Evidently a bug in Windows and not a risk                                                            |
     | 0xC0000234              | User logon with account locked                                                                       |
     | 0XC00002EE              | Failure Reason: An Error occurred during Logon                                                       |
-    | 0XC0000413              | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
+    | 0XC0000413              | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
     | 0x0                     | Status OK.  |
 
 > [!NOTE]
-> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
+> To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.
 
 More information: 
 
--   **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common sub-status codes listed in the “Table 12. Windows logon status codes.”.
+-   **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”.
 
 **Process Information:**
 
@@ -213,7 +213,7 @@ More information: 
 
     -   ::1 or 127.0.0.1 means localhost.
 
--   **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+-   **Source Port** \[Type = UnicodeString\]: source port that was used for logon attempt from remote machine.
 
     -   0 for interactive logons.
 
@@ -221,7 +221,7 @@ More information: 
 
 -   **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
 
--   **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+-   **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
 
     -   **NTLM** – NTLM-family Authentication
 
@@ -231,7 +231,7 @@ More information: 
 
 -   **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see 
 
--   **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
+-   **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
 
     -   “NTLM V1”
 
@@ -241,7 +241,7 @@ More information: 
 
         Only populated if “**Authentication Package” = “NTLM”**.
 
--   **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+-   **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
 
 ## Security Monitoring Recommendations
 
@@ -264,9 +264,9 @@ For 4625(F): An account failed to log on.
 
 -   If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
 
--   We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+-   We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
 
--   We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+-   We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.
 
 -   If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
 
@@ -286,15 +286,15 @@ For 4625(F): An account failed to log on.
 
     |  Field                                                                         | Value to monitor for                                                                                                                                                                                |
     |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-    | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” 
      This is typically not a security issue but it can be an infrastructure or availability issue. |
-    | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. 
      Especially if you get a number of these in a row, it can be a sign of user enumeration attack.                             |
+    | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” 
      This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
+    | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. 
      Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.                             |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. 
      Especially watch for a number of such events in a row.                               |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. 
      Especially watch for a number of such events in a row.       |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”.                                                                                                                                                 |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”.                                                                                                                                            |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”.                                                                                                                                     |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”.                                                                                            |
-    | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. 
      This is typically not a security issue but it can be an infrastructure or availability issue.      |
+    | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. 
      This issue is typically not a security issue but it can be an infrastructure or availability issue.      |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”.                                                                                                                                                     |
     | **Failure Information\\Status** or 
      **Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”.                     |
 
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 15199dbda5..dc84c4c3d6 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -30,7 +30,7 @@ This event generates every time that a backup is attempted for the [DPAPI](https
 
 When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
 
-Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
 
 This event also generates every time a new DPAPI Master Key is generated, for example.
 
@@ -91,7 +91,7 @@ Failure event generates when a Master Key backup operation fails for some reason
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
 
--   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+-   **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Here are some examples of formats:
 
     -   Domain NETBIOS name example: CONTOSO
 
@@ -107,17 +107,17 @@ Failure event generates when a Master Key backup operation fails for some reason
 
 **Key Information:**
 
--   **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is it’s ID.
+-   **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
 
 -   **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
 
--   **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key backup operation.
+-   **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
 
-    For Failure events this field is typically empty.
+    For Failure events, this field is typically empty.
 
 **Status Information:**
 
--   **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
+-   **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events, this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
 
 > \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)
 
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index af44f02711..9c6cb7f55a 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -26,7 +26,7 @@ ms.author: dansimp
 
 ***Event Description:***
 
-This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
 
 This event generates only on domain controllers.
 
@@ -103,7 +103,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
 
 **Network Information:**
 
--   **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following:
+-   **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Here are some examples of formats:
 
     -   **IPv6** or **IPv4** address.
 
@@ -117,7 +117,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
 
 **Additional Information:**
 
--   **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
+-   **Ticket Options**: \[Type = HexInt32\]: this set of different Ticket Flags is in hexadecimal format.
 
     Example:
 
@@ -125,7 +125,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
 
     -   Binary view: 01000000100000010000000000010000
 
-    -   Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+    -   Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
 
 > **Note**  In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
      MSB illustration
 
@@ -146,15 +146,15 @@ The most common values:
 | 4     | Proxy                    | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | 5     | Allow-postdate           | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | 6     | Postdated                | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 7     | Invalid                  | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| 7     | Invalid                  | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | 8     | Renewable                | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | 9     | Initial                  | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | 10    | Pre-authent              | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | 11    | Opt-hardware-auth        | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.                                                                                                                                                                                                                                                                                                                                                    |
 | 12    | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | 13    | Ok-as-delegate           | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 14    | Request-anonymous        | KILE not use this flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| 15    | Name-canonicalize        | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| 14    | Request-anonymous        | KILE does not use this flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+| 15    | Name-canonicalize        | To request referrals, the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | 16-25 | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | 26    | Disable-transited-check  | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
      the DISABLE-TRANSITED-CHECK option.
      Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
 | 27    | Renewable-ok             | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.                                                                                                                                                                                                                                                                           |
@@ -169,11 +169,11 @@ The most common values:
 
 | Code | Code Name                      | Description                                                  | Possible causes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
      It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
      It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
 | 0x17 | KDC\_ERR\_KEY\_EXPIRED         | Password has expired—change password to reset                | The user’s password has expired.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | 0x18 | KDC\_ERR\_PREAUTH\_FAILED      | Pre-authentication information was invalid                   | The wrong password was provided.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 
--   **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type which was used in TGT request.
+-   **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request.
 
 
 ## Table 5. Kerberos Pre-Authentication types.
@@ -181,7 +181,7 @@ The most common values:
 | Type | Type Name              | Description                                                                                                                                                                                                                                                                                                                                                                                                      |
 |------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | 0    | -                      | Logon without Pre-Authentication.                                                                                                                                                                                                                                                                                                                                                                                |
-| 2    | PA-ENC-TIMESTAMP       | This is a normal type for standard password authentication.                                                                                                                                                                                                                                                                                                                                                      |
+| 2    | PA-ENC-TIMESTAMP       | This type is normal for standard password authentication.                                                                                                                                                                                                                                                                                                                                                      |
 | 11   | PA-ETYPE-INFO          | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
      Never saw this Pre-Authentication Type in Microsoft Active Directory environment.  |
 | 15   | PA-PK-AS-REP\_OLD      | Used for Smart Card logon authentication.                                                                                                                                                                                                                                                                                                                                                                        |
 | 16   | PA-PK-AS-REQ           | Request sent to KDC in Smart Card authentication scenarios.|
@@ -193,7 +193,7 @@ The most common values:
 
 **Certificate Information:**
 
-- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
 
 - **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
 
@@ -208,14 +208,14 @@ For 4771(F): Kerberos pre-authentication failed.
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
      Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list.                                  |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list.                                  |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                           |
 
 -   You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
 
 -   If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert.
 
--   All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
+-   All **Client Address** = ::1 means local authentication. If you know the list of accounts that should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
 
 -   All [4771](event-4771.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
 
@@ -227,5 +227,5 @@ For 4771(F): Kerberos pre-authentication failed.
 | **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).                      |
 | **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types).       |
 | **Failure Code**             | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication.                                          |
-| **Failure Code**             | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+| **Failure Code**             | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This issue can indicate a brute-force attack on the account password, especially for highly critical accounts. |
 
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index deffae0186..a4906d1dbc 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -90,11 +90,11 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
 
 -   **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule.
 
-    To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+    To see the unique ID of the rule, navigate to the“**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
 
 Registry Editor FirewallRules key illustration
 
--   **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+-   **Rule Name** \[Type = UnicodeString\]: the name of the rule that was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
 
 Windows Firewall with Advanced Security illustration
 
@@ -102,5 +102,5 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
 
 For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
 
--   This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally.
+-   This event can be helpful in case you want to monitor all Firewall rules modifications that were done locally.
 
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 0c705ce6cc..1e9dcd7898 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -93,11 +93,11 @@ It can happen if Windows Firewall rule registry entry was corrupted.
 
 -   **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
 
-    To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+    To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
 
 Registry Editor FirewallRules key illustration
 
--   **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+-   **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
 
 Windows Firewall with Advanced Security illustration
 
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index a675d79c58..96e278db56 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -20,7 +20,7 @@ ms.author: dansimp
 -   Windows Server 2016
 
 
-This event generates in CNG Self-Test function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
 
 For more information about Cryptographic Next Generation (CNG) visit these pages:
 
@@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
-This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+This event is mainly used for CNG troubleshooting.
 
 There is no example of this event in this document.
 
@@ -40,7 +40,7 @@ There is no example of this event in this document.
 
 ***Event Schema:***
 
-*A cryptographic self test was performed.*
+*A cryptographic self-test was performed.*
 
 *Subject:*
 
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 96344c475f..e24e71d924 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -1,6 +1,6 @@
 ---
 title: 5060(F) Verification operation failed. (Windows 10)
-description: Describes security event 5060(F) Verification operation failed. This event is generated in case of CNG verification operation failure.
+description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -20,9 +20,9 @@ ms.author: dansimp
 -   Windows Server 2016
 
 
-This event generates in case of CNG verification operation failure.
+This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
 
-For more information about Cryptographic Next Generation (CNG) visit these pages:
+For more information about CNG, visit these pages:
 
 -   
 
@@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
-This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+This event is mainly used for CNG troubleshooting.
 
 There is no example of this event in this document.
 
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index a13a14a7de..ece1e4566d 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -128,9 +128,9 @@ This event is generated for every received network packet.
 
     -   127.0.0.1 , ::1 - localhost
 
--   **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet.
+-   **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet.
 
--   **Protocol** \[Type = UInt32\]: number of protocol which was used.
+-   **Protocol** \[Type = UInt32\]**:** number of the protocol that was used.
 
 | Service                                            | Protocol Number |
 |----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event is generated for every received network packet.
 
 **Filter Information:**
 
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet.
+-   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the packet.
 
-    To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
 
     Filters.xml file illustration
 
 -   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
 
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+-   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
 
 Wfpstate xml illustration
 
@@ -168,7 +168,7 @@ This event is generated for every received network packet.
 
 For 5152(F): The Windows Filtering Platform blocked a packet.
 
--   If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+-   If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
 
 -   You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
@@ -178,13 +178,13 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
 
 -   If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
 
--   If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+-   If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
 
--   If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
+-   If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
 
 -   If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
 
--   Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+-   Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
 
 -   If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
 
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index f66366168d..b464c877d6 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
 **Application Information**:
 
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+-   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 
     Task manager illustration
 
@@ -103,7 +103,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
     -   127.0.0.1 , ::1 - localhost
 
--   **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application.
+-   **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
 
 -   **Protocol** \[Type = UInt32\]: protocol number. For example:
 
@@ -115,15 +115,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
 **Filter Information:**
 
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
+-   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
 
-    To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
 
 Filters.xml file illustration
 
 -   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
 
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+-   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
 
 Wfpstate xml illustration
 
@@ -131,7 +131,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
 For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
 
--   If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
+-   If you have an “allow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
 
 -   If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
 
@@ -139,7 +139,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
 
 -   If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
 
--   If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+-   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
 
 -   You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index 6a97371b47..d44b9a921f 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -80,7 +80,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
 
 **Application Information**:
 
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+-   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 
     Task manager illustration
 
@@ -130,7 +130,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
 
 -   **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
 
--   **Protocol** \[Type = UInt32\]: number of protocol which was used.
+-   **Protocol** \[Type = UInt32\]: number of the protocol that was used.
 
 | Service                                            | Protocol Number |
 |----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
 
 **Filter Information:**
 
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection.
+-   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allowed the connection.
 
-    To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
 
 Filters.xml file illustration
 
 -   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
 
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+-   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
 
 Wfpstate xml illustration
 
@@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
 
 For 5156(S): The Windows Filtering Platform has permitted a connection.
 
--   If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+-   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
 
 -   You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
@@ -178,9 +178,9 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
 
 -   If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
 
--   If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+-   If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
 
--   If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+-   If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
 
 -   If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
 
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index f35e1cf804..88bc5b1315 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -128,9 +128,9 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
 
     -   127.0.0.1 , ::1 - localhost
 
--   **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+-   **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
 
--   **Protocol** \[Type = UInt32\]: number of protocol which was used.
+-   **Protocol** \[Type = UInt32\]: number of the protocol that was used.
 
 | Service                                            | Protocol Number |
 |----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
 
 **Filter Information:**
 
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection.
+-   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the connection.
 
-    To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
 
     Filters.xml file illustration
 
 -   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
 
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+-   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
 
 Wfpstate xml illustration
 
@@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
 
 For 5157(F): The Windows Filtering Platform has blocked a connection.
 
--   If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+-   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
 
 -   You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
@@ -178,13 +178,13 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
 
 -   If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
 
--   If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+-   If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
 
--   If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+-   If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
 
 -   If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
 
--   Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+-   Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
 
 -   If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
 
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index 55dd4c04da..76bb82efef 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
 **Application Information**:
 
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+-   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 
     Task manager illustration
 
@@ -107,7 +107,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
 -   **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
 
--   **Protocol** \[Type = UInt32\]: number of protocol which was used.
+-   **Protocol** \[Type = UInt32\]: number of the protocol that was used.
 
 | Service                                            | Protocol Number |
 |----------------------------------------------------|-----------------|
@@ -129,15 +129,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
 **Filter Information:**
 
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesn’t match any filters you will get value 0 in this field.
+-   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you will get value 0 in this field.
 
-    To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
 
     Filters.xml file illustration
 
 -   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
 
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+-   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
 
 Wfpstate xml illustration
 
@@ -145,7 +145,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
 
 For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
 
--   If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+-   If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
 
 -   You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
@@ -155,7 +155,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
 
 -   If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
 
--   Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17.
+-   Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
 
 -   If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
 
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 998321eae5..460e244dd8 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -73,7 +73,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
 
 **Application Information**:
 
--   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+-   **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 
     Task manager illustration
 
@@ -127,15 +127,15 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
 
 **Filter Information:**
 
--   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
+-   **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
 
-    To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
+    To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
 
     Filters.xml file illustration
 
 -   **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
 
--   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+-   **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find the specific substring with the required layer ID (**<layerId>**)**,** for example:
 
 Wfpstate xml illustration
 
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 0762f04322..58bd7574f2 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -1,6 +1,6 @@
 ---
 title: How to get a list of XML data name elements in  (Windows 10)
-description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in .
+description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in .
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -20,15 +20,15 @@ ms.author: dansimp
 
 The Security log uses a manifest where you can get all of the event schema.
 
-Run the following from an elevated PowerShell prompt:
+Run the following command from an elevated PowerShell prompt:
 
 ```powershell
 $secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
 ```
 
-The .events property is a collection of all of the events listed in the manifest on the local machine.
+The `.events` property is a collection of all of the events listed in the manifest on the local machine.
 
-For each event, there is a .Template property for the XML template used for the event properties (if there are any).
+For each event, there is a `.Template` property for the XML template used for the event properties (if there are any).
 
 For example:
 
@@ -90,7 +90,7 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
 
 You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description.
 
-The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
+The <Description> is just the format string (if you’re used to `Console.Writeline` or `sprintf` statements), and the <Template> is the source of the input parameters for the <Description>.
 
 Using Security event 4734 as an example:
 
@@ -124,9 +124,9 @@ Description : A security-enabled local group was deleted.
 
 ```
 
-For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
+For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
 
-For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**.
+For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**.
 
-A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
+A caveat to this principle is an often overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
 
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
index af17bfed1e..53466cf41c 100644
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@@ -1,8 +1,8 @@
 ---
-title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+title: Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 ms.reviewer: 
 ms.author: dansimp
-description: This topic lists new and updated topics in the WWindows Defender ATP content set.
+description: This topic lists new and updated topics in the Defender for Endpoint content set.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -16,11 +16,11 @@ ms.localizationpriority: medium
 ---
 
 # Change history for threat protection
-This topic lists new and updated topics in the [Microsoft Defender ATP](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation.
+This topic lists new and updated topics in the [Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation.
 
 ## August 2018
 
 New or changed topic | Description
 ---------------------|------------
-[Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform.
+[Microsoft Defender for Endpoint](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform.
 
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index add9bc1309..f37748f9d5 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -13,13 +13,13 @@ manager: dansimp
 audience: ITPro
 ---
 
-# How to control USB devices and other removable media using Microsoft Defender ATP
+# How to control USB devices and other removable media using Microsoft Defender for Endpoint
 
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
+Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
 
-1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
+1. [Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
 
 2. Configure to allow or block only certain removable devices and prevent threats.
     1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
@@ -28,22 +28,22 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
            - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.  
            - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.  
            - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.  
-3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules).
+3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules).
 
 4. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral.
 
 >[!Note]
->These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender ATP and Azure Information Protection.
+>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.
 
 ## Discover plug and play connected events
 
-You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Microsoft Defender ATP advanced hunting queries, see the [Microsoft Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
+You can view plug and play connected events in Microsoft Defender for Endpoint advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Defender for Endpoint advanced hunting queries, see the [Microsoft Defender for Endpoint hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
 
-Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration.
+Sample Power BI report templates are available for Microsoft Defender for Endpoint that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration.
 
 ## Allow or block removable devices
-The following table describes the ways Microsoft Defender ATP can allow or block removable devices based on granular configuration.
+The following table describes the ways Microsoft Defender for Endpoint can allow or block removable devices based on granular configuration.
 
 | Control  | Description |
 |----------|-------------|
@@ -54,11 +54,11 @@ The following table describes the ways Microsoft Defender ATP can allow or block
 | [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. |
 | [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. |
 | [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. |
-| [Use Microsoft Defender ATP baseline settings](#use-microsoft-defender-atp-baseline-settings) | You can set the recommended configuration for ATP by using the Microsoft Defender ATP security baseline. |
+| [Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings) | You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline. |
 
 ### Restrict USB drives and other peripherals
 
-To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB drives and other peripherals.
+To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender for Endpoint can help prevent installation and usage of USB drives and other peripherals.
 
 | Control  | Description
 |----------|-------------|
@@ -75,7 +75,7 @@ The above policies can also be set through the [Device Installation CSP settings
 
 > [!Note]
 > Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
+For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
 
 #### Allow installation and usage of USB drives and other peripherals
 
@@ -189,7 +189,7 @@ Allowing installation of specific devices requires also enabling [DeviceInstalla
 
 ### Prevent installation of specifically prohibited peripherals
 
-Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options:
+Microsoft Defender for Endpoint blocks installation and usage of prohibited peripherals by using either of these options:
 
 - [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.  
 - [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
@@ -212,26 +212,26 @@ Using Intune, you can limit the services that can use Bluetooth through the ["Bl
 
 ![Bluetooth](images/bluetooth.png)
 
-### Use Microsoft Defender ATP baseline settings
+### Use Microsoft Defender for Endpoint baseline settings
 
-The Microsoft Defender ATP baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.
+The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.
 
 ![Baselines](images/baselines.png)
 
 ## Prevent threats from removable storage
   
-Removable storage devices can introduce additional security risk to your organization. Microsoft Defender ATP can help identify and block malicious files on removable storage devices.
+Removable storage devices can introduce additional security risk to your organization. Microsoft Defender for Endpoint can help identify and block malicious files on removable storage devices.
 
-Microsoft Defender ATP can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
+Microsoft Defender for Endpoint can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
 
 Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge.
 
 >[!NOTE]
 >Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization. 
 
-The following table describes the ways Microsoft Defender ATP can help prevent threats from removable storage.
+The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage.
 
-For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://aka.ms/devicecontrolblog).
+For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://aka.ms/devicecontrolblog).
 
 | Control  | Description |
 |----------|-------------|
@@ -327,7 +327,7 @@ For information on device control related advance hunting events and examples on
 
 ## Respond to threats
 
-You can create custom alerts and automatic response actions with the [Microsoft Defender ATP Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender ATP connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors.
+You can create custom alerts and automatic response actions with the [Microsoft Defender for Endpoint Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender for Endpoint connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors.
  
 For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine.
 
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 35846937a0..8dc3221ed3 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -16,9 +16,7 @@ ms.reviewer:
 
 # Enable virtualization-based protection of code integrity
 
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
 Some applications, including device drivers, may be incompatible with HVCI.
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
index 3ebdf7bf95..2d935942a3 100644
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ b/windows/security/threat-protection/device-guard/memory-integrity.md
@@ -16,9 +16,7 @@ manager: dansimp
 
 # Memory integrity
 
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments.
 
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index d594900ce7..535e713ba2 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -17,9 +17,7 @@ ms.author: dansimp
 
 # Baseline protections and additional qualifications for virtualization-based protection of code integrity
 
-**Applies to**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
 
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 9b911ac29f..98392dd180 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -1,6 +1,6 @@
 ---
 title: Federal Information Processing Standard (FIPS) 140 Validation
-description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140.
+description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
 ms.prod: w10
 audience: ITPro
 author: dansimp
@@ -16,41 +16,48 @@ ms.reviewer:
 
 ## FIPS 140-2 standard overview
 
-The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996.
+The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
 
-The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program), a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover eleven areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
+The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
 
 ## Microsoft’s approach to FIPS 140-2 validation
 
-Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since the inception of the standard in 2001.  Microsoft validates its cryptographic modules under the NIST CMVP, as described above.  Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.  Microsoft validates its cryptographic modules under the NIST CMVP, as described above.  Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
 
 ## Using Windows in a FIPS 140-2 approved mode of operation
 
-Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.”  When this mode is enabled, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows cryptographic operations are run. These self-tests are run in accordance with FIPS 140-2 Section 4.9 and are utilized to ensure that the modules are functioning properly. The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by this mode of operation. The FIPS 140-2 approved mode of operation will not prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. For applications or components beyond the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library, FIPS mode is merely advisory.
+Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode."  If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly.
 
-While US government regulations continue to mandate that FIPS mode be enabled on government computers running Windows, our recommendation is that it is each customer’s decision to make when considering enabling FIPS mode. There are many applications and protocols that look to the FIPS mode policy to determine which cryptographic functionality should be utilized in a given solution. We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode. 
+The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library.
+
+US government regulations continue to mandate FIPS mode for government devices running Windows. Other customers should decide for themselves if FIPS mode is right for them. There are many applications and protocols that use FIPS mode policy to determine which cryptographic functionality to run. Customers seeking to follow the FIPS 140-2 standard should research the configuration settings of their applications and protocols. This research will help ensure that they can be configured to use FIPS 140-2 validated cryptography.
 
 Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below.
 
 ### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed
 
-Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated.  This is accomplished by cross-checking the version number of the cryptographic module with the table of validated modules at the end of this topic, organized by operating system release.
+Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated.  Tables listing validated modules, organized by operating system release, are available later in this article.
 
 ### Step 2: Ensure all security policies for all cryptographic modules are followed
 
-Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode.  The security policy may be found in each module’s published Security Policy Document (SPD).  The SPDs for each module may be found by following the links in the table of validated modules at the end of this topic.  Click on the module version number to view the published SPD for the module. 
- 
+Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode.  The security policy may be found in each module’s published Security Policy Document (SPD).  The SPDs for each module may be found in the table of validated modules at the end of this article.  Select the module version number to view the published SPD for the module. 
+
 ### Step 3: Enable the FIPS security policy
 
-Windows provides the security policy setting, “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a FIPS 140-2 approved mode.  When this policy is enabled, the validated cryptographic modules in Windows will also operate in FIPS approved mode.  The policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution.   For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).  
+Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode.  When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode.  This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution.   For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).  
 
-### Step 4: Ensure only FIPS validated cryptographic algorithms are used
+### Step 4: Ensure that only FIPS validated cryptographic algorithms are used
 
-Neither the operating system nor the cryptographic modules can enforce a FIPS approved mode of operation, regardless of the FIPS security policy setting.  To run in a FIPS approved mode, an application or service must check for the policy flag and enforce the security policies of the validated modules.  If an application or service uses a non-approved cryptographic algorithm or does not follow the security policies of the validated modules, it is not operating in a FIPS approved mode.
+FIPS mode is enforced at the level of the application or service. It is not enforced by the operating system or by individual cryptographic modules. Applications or services running in FIPS mode must follow the security policies of validated modules. They must not use a cryptographic algorithm that isn't FIPS-compliant.
+
+In short, an application or service is running in FIPS mode if it:
+
+* Checks for the policy flag
+* Enforces security policies of validated modules
 
 ## Frequently asked questions
 
-### How long does it take to certify cryptographic modules?
+### How long does it take to certify a cryptographic module?
 
 Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and Windows Server. The duration of each evaluation varies, depending on many factors.
 
@@ -58,29 +65,29 @@ Microsoft begins certification of cryptographic modules after each major feature
 
 The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server.  As the software industry evolves, operating systems release more frequently. Microsoft completes validation work on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules.  
 
-### What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”?
+### What is the difference between *FIPS 140 validated* and *FIPS 140 compliant*?
 
-“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.
+*FIPS 140 validated* means that the cryptographic module, or a product that embeds the module, has been validated ("certified") by the CMVP as meeting the FIPS 140-2 requirements. *FIPS 140 compliant* is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.
 
-### I need to know if a Windows service or application is FIPS 140-2 validated.
+### How do I know if a Windows service or application is FIPS 140-2 validated?
 
-The cryptographic modules leveraged in Windows are validated through the CMVP, not individual services, applications, hardware peripherals, or other solutions.  For a solution to be considered compliant, it must call a FIPS 140-2 validated cryptographic module in the underlying OS and the OS must be configured to run in FIPS mode.  Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module.
+The cryptographic modules used in Windows are validated through the CMVP. They aren't validated by individual services, applications, hardware peripherals, or other solutions.  Any compliant solution must call a FIPS 140-2 validated cryptographic module in the underlying OS, and the OS must be configured to run in FIPS mode.  Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module.
 
-### What does "When operated in FIPS mode" mean on a certificate?
+### What does *When operated in FIPS mode* mean on a certificate?
 
-This caveat identifies required configuration and security rules that must be followed to use the cryptographic module in a way that is consistent with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module.
+This label means that certain configuration and security rules must be followed to use the cryptographic module in compliance with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module.
 
 ### What is the relationship between FIPS 140-2 and Common Criteria?
 
-These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
+FIPS 140-2 and Common Criteria are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules. Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
 
 ### How does FIPS 140 relate to Suite B?
 
-Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140-2 standard.
+Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS approved cryptographic algorithms allowed by the FIPS 140-2 standard.
 
 ### Is SMB3 (Server Message Block) FIPS 140 compliant in Windows?
 
-When Windows is configured to operate in FIPS 140 approved mode on both client and server, SMB3 is FIPS 140 compliant and relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations. 
+SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 mode on both client and server.  In FIPS mode, SMB3 relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.
 
 ## Microsoft FIPS 140-2 validated cryptographic modules
 
@@ -314,7 +321,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
       
-
@@ -324,7 +331,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
 
@@ -333,40 +340,40 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
 
-
-
-
+
-
+
-
-
@@ -401,7 +408,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 
-
@@ -410,7 +417,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 
-
@@ -419,14 +426,14 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 
-
-
@@ -434,7 +441,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 
-
@@ -442,13 +449,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 
-
+
-
@@ -457,7 +464,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 
-
@@ -494,7 +501,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 
-
@@ -503,7 +510,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 
-
@@ -512,7 +519,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 
-
@@ -520,7 +527,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 
-
@@ -528,7 +535,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 
-
@@ -536,13 +543,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 
-
+
-
@@ -551,7 +558,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 
-
@@ -592,7 +599,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
-
@@ -601,7 +608,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
-
@@ -610,7 +617,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
-
@@ -618,7 +625,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
-
@@ -626,7 +633,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
-
@@ -634,13 +641,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
-
+
-
@@ -649,7 +656,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
-
@@ -658,13 +665,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 
      
 

      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
 10.0.15063
 #3095
      FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      
+
      FIPS approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      
 
      
 Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)
      		10.0.15063
 #3094
 
      #3094
      
-
      FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      
+
      FIPS approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      
 
      
 Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)
      		Boot Manager
 10.0.15063
 #3089
      FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)
      
+
      FIPS approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)
      
 
      Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)
      		
 
      
 
      
 Windows OS Loader
 10.0.15063
 #3090
      FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
      
+
      FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
      
 
      Other algorithms: NDRNG
      		
 
      
 
      
 Windows Resume[1]
 10.0.15063
 #3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
 
      
 
      
 BitLocker® Dump Filter[2]
 10.0.15063
 #3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
 
      
 
      
 Code Integrity (ci.dll)
 10.0.15063
 #3093
      FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)
      
+
      FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)
      		
 
      
 
      
 Secure Kernel Code Integrity (skci.dll)[3]
 10.0.15063
 #3096
      FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)
      
+
      FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)
      		
 
      
 
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
 10.0.14393
 #2937
      FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
+
      FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
 
      
 Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)
      		Kernel Mode Cryptographic Primitives Library (cng.sys)
 10.0.14393
 #2936
      FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
+
      FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
 
      
 Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)
      		Boot Manager
 10.0.14393
 #2931
      FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
      
+
      FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      Other algorithms: MD5; PBKDF (non-compliant); VMK KDF
      		
 
      
 
      
 BitLocker® Windows OS Loader (winload)
 10.0.14393
 #2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
+      		FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      
 Other algorithms: NDRNG; MD5      		
 
      BitLocker® Windows Resume (winresume)[1]
 10.0.14393
 #2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
+      		FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      
 Other algorithms: MD5      		
 
      BitLocker® Dump Filter (dumpfve.sys)[2]
 10.0.14393
 #2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)FIPS approved algorithms: AES (Certs. #4061 and #4064)
 
      
 
      
 Code Integrity (ci.dll)
 10.0.14393
 #2935
      FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      
+
      FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      
 Other algorithms: AES (non-compliant); MD5
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)
      		Secure Kernel Code Integrity (skci.dll)[3]
 10.0.14393
 #2938
      FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      
+
      FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      
 
      
 Other algorithms: MD5
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)
      		Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
 10.0.10586
 #2606
      FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      
+
      FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      
 
      
 Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)
      		Kernel Mode Cryptographic Primitives Library (cng.sys)
 10.0.10586
 #2605
      FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      
+
      FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      
 
      
 Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)
      		Boot Manager[4]
 10.0.10586
 #2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
      
+      		FIPS approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
      
 
      
 Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)      		
 
      BitLocker® Windows OS Loader (winload)[5]
 10.0.10586
 #2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      
+      		FIPS approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      
 
      
 Other algorithms: MD5; NDRNG      		
 
      BitLocker® Windows Resume (winresume)[6]
 10.0.10586
 #2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      
+      		FIPS approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      
 
      
 Other algorithms: MD5      		
 
      BitLocker® Dump Filter (dumpfve.sys)[7]
 10.0.10586
 #2703FIPS Approved algorithms: AES (Certs. #3653)FIPS approved algorithms: AES (Certs. #3653)
 
      
 
      
 Code Integrity (ci.dll)
 10.0.10586
 #2604
      FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      
+
      FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      
 
      
 Other algorithms: AES (non-compliant); MD5
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)
      		Secure Kernel Code Integrity (skci.dll)[8]
 10.0.10586
 #2607
      FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      
+
      FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      
 
      
 Other algorithms: MD5
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)
      		Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
 10.0.10240
 #2606
      FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      
+
      FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      
 
      
 Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)
      		Kernel Mode Cryptographic Primitives Library (cng.sys)
 10.0.10240
 #2605
      FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      
+
      FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      
 
      
 Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)
      		Boot Manager[9]
 10.0.10240
 #2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
      
+      		FIPS approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
      
 
      
 Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)      		
 
      BitLocker® Windows OS Loader (winload)[10]
 10.0.10240
 #2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      
+      		FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      
 
      
 Other algorithms: MD5; NDRNG      		
 
      BitLocker® Windows Resume (winresume)[11]
 10.0.10240
 #2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      
+      		FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      
 
      
 Other algorithms: MD5      		
 
      BitLocker® Dump Filter (dumpfve.sys)[12]
 10.0.10240
 #2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)FIPS approved algorithms: AES (Certs. #3497 and #3498)
 
      
 
      
 Code Integrity (ci.dll)
 10.0.10240
 #2604
      FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      
+
      FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      
 
      
 Other algorithms: AES (non-compliant); MD5
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)
      		Secure Kernel Code Integrity (skci.dll)[13]
 10.0.10240
 #2607
      FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      
+
      FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      
 
      
 Other algorithms: MD5
      
 
      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)
      
 
 
-\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+\[9\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
 
-\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+\[10\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
 
-\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+\[11\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
 
-\[12\] Applies only to Pro, Enterprise and Enterprise LTSB
+\[12\] Applies only to Pro, Enterprise, and Enterprise LTSB
 
 \[13\] Applies only to Enterprise and Enterprise LTSB
 
@@ -690,25 +697,25 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
 Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
 6.3.9600 6.3.9600.17031
 #2357
-
      FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      
+
      FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      
 
      
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)
      
 
 
 Kernel Mode Cryptographic Primitives Library (cng.sys)
 6.3.9600 6.3.9600.17042
 #2356
-
      FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      
+
      FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      
 
      
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      
 
      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)
      
 
 
 Boot Manager
 6.3.9600 6.3.9600.17031
 #2351
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
 
      
 Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
 
@@ -716,7 +723,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
 BitLocker® Windows OS Loader (winload)
 6.3.9600 6.3.9600.17031
 #2352
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      
 
      
 Other algorithms: MD5; NDRNG
 
@@ -724,7 +731,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
 BitLocker® Windows Resume (winresume)[14]
 6.3.9600 6.3.9600.17031
 #2353
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
 
      
 Other algorithms: MD5
 
@@ -732,7 +739,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
 BitLocker® Dump Filter (dumpfve.sys)
 6.3.9600 6.3.9600.17031
 #2354
-FIPS Approved algorithms: AES (Cert. #2832)
      
+FIPS approved algorithms: AES (Cert. #2832)
      
 
      
 Other algorithms: N/A
 
@@ -740,7 +747,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
 Code Integrity (ci.dll)
 6.3.9600 6.3.9600.17031
 #2355#2355
-
      FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      
+
      FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      
 
      
 Other algorithms: MD5
      
 
      Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)
      
@@ -767,9 +774,9 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
 6.2.9200
 #1892
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
 
      
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
 
      
 
 
@@ -777,17 +784,17 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 Kernel Mode Cryptographic Primitives Library (cng.sys)
 6.2.9200
 #1891
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
 
      
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
 
      
-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
 
 
 Boot Manager
 6.2.9200
 #1895
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: MD5
 
@@ -795,7 +802,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 BitLocker® Windows OS Loader (WINLOAD)
 6.2.9200
 #1896
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
 
@@ -803,7 +810,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 BitLocker® Windows Resume (WINRESUME)[15]
 6.2.9200
 #1898
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: MD5
 
@@ -811,7 +818,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 BitLocker® Dump Filter (DUMPFVE.SYS)
 6.2.9200
 #1899
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198)
      
 
      
 Other algorithms: N/A
 
@@ -819,7 +826,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 Code Integrity (CI.DLL)
 6.2.9200
 #1897
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: MD5
 
@@ -827,19 +834,19 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)
 6.2.9200
 #1893
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      
 
      
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Cert., vendor affirmed)
      
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)
      
 
      
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert., key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 Enhanced Cryptographic Provider (RSAENH.DLL)
 6.2.9200
 #1894
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      
 
      
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 
@@ -870,11 +877,11 @@ Validated Editions: Windows 7, Windows 7 SP1
 
      6.1.7600.16385
      
 
      6.1.7601.17514
      
 1329
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
 
      
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)
      
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)
      
 
      
-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
 
 
 Kernel Mode Cryptographic Primitives Library (cng.sys)
@@ -887,16 +894,16 @@ Validated Editions: Windows 7, Windows 7 SP1
 
      6.1.7601.21861
      
 
      6.1.7601.22076
      
 1328
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
 
      
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
 
 
 Boot Manager
 
      6.1.7600.16385
      
 
      6.1.7601.17514
      
 1319
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
      
 
      
 Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)
      
 
      
@@ -913,7 +920,7 @@ Validated Editions: Windows 7, Windows 7 SP1
 
      6.1.7601.21655
      
 
      6.1.7601.21675
      
 1326
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
      
 
      
 Other algorithms: MD5
 
@@ -932,7 +939,7 @@ Validated Editions: Windows 7, Windows 7 SP1
 
      6.1.7601.21655
      
 
      6.1.7601.21675
      
 1332
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      
 
      
 Other algorithms: Elephant Diffuser
 
@@ -945,7 +952,7 @@ Validated Editions: Windows 7, Windows 7 SP1
 
      6.1.7601.17950
      
 
      6.1.7601.22108
      
 1327
-FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
      
+FIPS approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
      
 
      
 Other algorithms: MD5
 
@@ -954,7 +961,7 @@ Validated Editions: Windows 7, Windows 7 SP1
 6.1.7600.16385
      
 (no change in SP1)
 1331
-FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      
+FIPS approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      
 
      
 Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
 
@@ -963,9 +970,9 @@ Validated Editions: Windows 7, Windows 7 SP1
 6.1.7600.16385
      
 (no change in SP1)
 1330
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
      
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
      
 
      
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 
@@ -993,13 +1000,13 @@ Validated Editions: Ultimate Edition
 Boot Manager (bootmgr)
 6.0.6001.18000 and 6.0.6002.18005
 978
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
 
 
 Winload OS Loader (winload.exe)
 6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596
 979
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
      
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
      
 
      
 Other algorithms: MD5
 
@@ -1007,37 +1014,37 @@ Validated Editions: Ultimate Edition
 Code Integrity (ci.dll)
 6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005
 980
-FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
      
+FIPS approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
      
 
      
 Other algorithms: MD5
 
 
 Kernel Mode Security Support Provider Interface (ksecdd.sys)
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869
 1000
-
      FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
-
      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      
+
      FIPS approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
+
      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      
 
 
 Cryptographic Primitives Library (bcrypt.dll)
-6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872
+6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872
 1001
-
      FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
      
-
      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
      
+
      FIPS approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)
      
+
      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
      
 
 
 Enhanced Cryptographic Provider (RSAENH)
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005
+6.0.6001.22202 and 6.0.6002.18005
 1002
-
      FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)
      
-
      Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      
+
      FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)
      
+
      Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      
 
 
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005
+6.0.6001.18000 and 6.0.6002.18005
 1003
-
      FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
      
-
      Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
      
+
      FIPS approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
      
+
      Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
      
 
 
 
@@ -1059,23 +1066,23 @@ Validated Editions: Ultimate Edition
 Enhanced Cryptographic Provider (RSAENH)
 6.0.6000.16386
 893
-FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      
+FIPS approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      
 
      
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
 6.0.6000.16386
 894
-FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
      
+FIPS approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
      
 
      
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
 
 
 BitLocker™ Drive Encryption
 6.0.6000.16386
 947
-FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
      
+FIPS approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
      
 
      
 Other algorithms: Elephant Diffuser
 
@@ -1083,9 +1090,9 @@ Validated Editions: Ultimate Edition
 Kernel Mode Security Support Provider Interface (ksecdd.sys)
 6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067
 891
-FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      
+FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      
 
      
-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
+Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
 
 
 
@@ -1111,22 +1118,22 @@ Validated Editions: Ultimate Edition
 Kernel Mode Cryptographic Module (FIPS.SYS)
 5.1.2600.5512
 997
-
      FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)
      
+
      FIPS approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)
      
 
      Other algorithms: DES; MD5; HMAC MD5
      
 
 
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
 5.1.2600.5507
 990
-
      FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)
      
-
      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4
      
+
      FIPS approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)
      
+
      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4
      
 
 
 Enhanced Cryptographic Provider (RSAENH)
 5.1.2600.5507
 989
-
      FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)
      
-
      Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)
      
+
      FIPS approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)
      
+
      Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits)
      
 
 
 
@@ -1152,14 +1159,14 @@ Validated Editions: Ultimate Edition
 DSS/Diffie-Hellman Enhanced Cryptographic Provider
 5.1.2600.2133
 240
-
      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)
      
 
      Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)
      
 
 
 Microsoft Enhanced Cryptographic Provider
 5.1.2600.2161
 238
-
      FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
      
 
      Other algorithms: DES (Cert. #156); RC2; RC4; MD5
      
 
 
@@ -1186,7 +1193,7 @@ Validated Editions: Ultimate Edition
 Microsoft Enhanced Cryptographic Provider
 5.1.2600.1029
 238
-
      FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)
      
 
      Other algorithms: DES (Cert. #156); RC2; RC4; MD5
      
 
 
@@ -1213,7 +1220,7 @@ Validated Editions: Ultimate Edition
 Kernel Mode Cryptographic Module
 5.1.2600.0
 241
-
      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)
      
 
      Other algorithms: DES (Cert. #89)
      
 
 
@@ -1240,7 +1247,7 @@ Validated Editions: Ultimate Edition
 Kernel Mode Cryptographic Module (FIPS.SYS)
 5.0.2195.1569
 106
-
      FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)
      
 
      Other algorithms: DES (Certs. #89)
      
 
 
@@ -1250,7 +1257,7 @@ Validated Editions: Ultimate Edition
 
      (DSS/DH Enh: 5.0.2195.3665 [SP3])
      
 
      (Enh: 5.0.2195.3839 [SP3]
      
 103
-
      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)
      
 
      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5
      
 
 
@@ -1277,7 +1284,7 @@ Validated Editions: Ultimate Edition
 Kernel Mode Cryptographic Module (FIPS.SYS)
 5.0.2195.1569
 106
-
      FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)
      
 
      Other algorithms: DES (Certs. #89)
      
 
 
@@ -1291,7 +1298,7 @@ Validated Editions: Ultimate Edition
 
      (Enh:
      
 
      5.0.2195.2228 [SP2])
      
 103
-
      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)
      
 
      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5
      
 
 
@@ -1321,7 +1328,7 @@ Validated Editions: Ultimate Edition
 
      (DSS/DH Enh: 5.0.2150.1391 [SP1])
      
 
      (Enh: 5.0.2150.1391 [SP1])
      
 103
-
      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)
      
 
      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5
      
 
 
@@ -1348,7 +1355,7 @@ Validated Editions: Ultimate Edition
 Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
 5.0.2150.1
 76
-
      FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)
      
 
      Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
      
 
 
@@ -1375,7 +1382,7 @@ Validated Editions: Ultimate Edition
 Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
 5.0.1877.6 and 5.0.1877.7
 75
-
      FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)
      
+
      FIPS approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)
      
 
      Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
      
 
 
@@ -1396,7 +1403,7 @@ Validated Editions: Ultimate Edition
 Base Cryptographic Provider
 5.0.1877.6 and 5.0.1877.7
 68
-FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
      
+FIPS approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
      
 
      
 Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
 
@@ -1631,7 +1638,7 @@ Validated Editions: Standard, Datacenter, Storage Server
 Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
 10.0.14393
 2937
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
 
      
 Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
 
@@ -1639,7 +1646,7 @@ Validated Editions: Standard, Datacenter, Storage Server
 Kernel Mode Cryptographic Primitives Library (cng.sys)
 10.0.14393
 2936
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      
 
      
 Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
 
@@ -1647,14 +1654,14 @@ Validated Editions: Standard, Datacenter, Storage Server
 Boot Manager
 10.0.14393
 2931
-
      FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
      
+
      FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      Other algorithms: MD5; PBKDF (non-compliant); VMK KDF
      
 
 
 BitLocker® Windows OS Loader (winload)
 10.0.14393
 2932
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      
 Other algorithms: NDRNG; MD5
 
@@ -1662,7 +1669,7 @@ Validated Editions: Standard, Datacenter, Storage Server
 BitLocker® Windows Resume (winresume)
 10.0.14393
 2933
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      
 Other algorithms: MD5
 
@@ -1670,13 +1677,13 @@ Validated Editions: Standard, Datacenter, Storage Server
 BitLocker® Dump Filter (dumpfve.sys)
 10.0.14393
 2934
-FIPS Approved algorithms: AES (Certs. #4061 and #4064)
+FIPS approved algorithms: AES (Certs. #4061 and #4064)
 
 
 Code Integrity (ci.dll)
 10.0.14393
 2935
-FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      
+FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      
 
      
 Other algorithms: AES (non-compliant); MD5
 
@@ -1684,7 +1691,7 @@ Validated Editions: Standard, Datacenter, Storage Server
 Secure Kernel Code Integrity (skci.dll)
 10.0.14393
 2938
-FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      
+FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      
 
      
 Other algorithms: MD5
 
@@ -1710,23 +1717,23 @@ Validated Editions: Server, Storage Server,
 Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
 6.3.9600 6.3.9600.17031
 2357
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      
 
      
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
 
 
 Kernel Mode Cryptographic Primitives Library (cng.sys)
 6.3.9600 6.3.9600.17042
 2356
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      
 
      
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
 
 
 Boot Manager
 6.3.9600 6.3.9600.17031
 2351
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
 
      
 Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
 
@@ -1734,7 +1741,7 @@ Validated Editions: Server, Storage Server,
 BitLocker® Windows OS Loader (winload)
 6.3.9600 6.3.9600.17031
 2352
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      
 
      
 Other algorithms: MD5; NDRNG
 
@@ -1742,7 +1749,7 @@ Validated Editions: Server, Storage Server,
 BitLocker® Windows Resume (winresume)[16]
 6.3.9600 6.3.9600.17031
 2353
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      
 
      
 Other algorithms: MD5
 
@@ -1750,7 +1757,7 @@ Validated Editions: Server, Storage Server,
 BitLocker® Dump Filter (dumpfve.sys)[17]
 6.3.9600 6.3.9600.17031
 2354
-FIPS Approved algorithms: AES (Cert. #2832)
      
+FIPS approved algorithms: AES (Cert. #2832)
      
 
      
 Other algorithms: N/A
 
@@ -1758,7 +1765,7 @@ Validated Editions: Server, Storage Server,
 Code Integrity (ci.dll)
 6.3.9600 6.3.9600.17031
 2355
-FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      
+FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      
 
      
 Other algorithms: MD5
 
@@ -1766,9 +1773,9 @@ Validated Editions: Server, Storage Server,
 
 
 
-\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+\[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
 
-\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+\[17\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
 
 **Windows Server 2012**
 
@@ -1786,27 +1793,27 @@ Validated Editions: Server, Storage Server
 Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
 6.2.9200
 1892
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
 
      
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
 
      
-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
 
 
 Kernel Mode Cryptographic Primitives Library (cng.sys)
 6.2.9200
 1891
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      
 
      
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
 
      
-Other algorithms: AES (Cert., key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
 
 
 Boot Manager
 6.2.9200
 1895
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: MD5
 
@@ -1814,7 +1821,7 @@ Validated Editions: Server, Storage Server
 BitLocker® Windows OS Loader (WINLOAD)
 6.2.9200
 1896
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
 
@@ -1822,7 +1829,7 @@ Validated Editions: Server, Storage Server
 BitLocker® Windows Resume (WINRESUME)
 6.2.9200
 1898
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: MD5
 
@@ -1830,7 +1837,7 @@ Validated Editions: Server, Storage Server
 BitLocker® Dump Filter (DUMPFVE.SYS)
 6.2.9200
 1899
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
      
+FIPS approved algorithms: AES (Certs. #2196 and #2198)
      
 
      
 Other algorithms: N/A
 
@@ -1838,7 +1845,7 @@ Validated Editions: Server, Storage Server
 Code Integrity (CI.DLL)
 6.2.9200
 1897
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      
 
      
 Other algorithms: MD5
 
@@ -1846,7 +1853,7 @@ Validated Editions: Server, Storage Server
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)
 6.2.9200
 1893
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      
 
      
 Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
@@ -1854,9 +1861,9 @@ Validated Editions: Server, Storage Server
 Enhanced Cryptographic Provider (RSAENH.DLL)
 6.2.9200
 1894
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      
 
      
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 
@@ -1874,65 +1881,65 @@ Validated Editions: Server, Storage Server
 
 
 Boot Manager (bootmgr)
-6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514
+6.1.7600.16385 or 6.1.7601.17514
 1321
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
      
 
      
 Other algorithms: MD5
 
 
 Winload OS Loader (winload.exe)
-6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675
+6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675
 1333
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
      
 
      
 Other algorithms: MD5
 
 
 Code Integrity (ci.dll)
-6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108
+6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108
 1334
-FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
      
+FIPS approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
      
 
      
 Other algorithms: MD5
 
 
 Kernel Mode Cryptographic Primitives Library (cng.sys)
-6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076
+6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076
 1335
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
 
      
--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
+-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
 
 
 Cryptographic Primitives Library (bcryptprimitives.dll)
-66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514
+66.1.7600.16385 or 6.1.7601.17514
 1336
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      
 
      
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
 
 
 Enhanced Cryptographic Provider (RSAENH)
 6.1.7600.16385
 1337
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
      
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
      
 
      
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
 6.1.7600.16385
 1338
-FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      
+FIPS approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      
 
      
 Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
 
 
 BitLocker™ Drive Encryption
-6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675
+6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675
 1339
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      
 
      
 Other algorithms: Elephant Diffuser
 
@@ -1952,61 +1959,61 @@ Validated Editions: Server, Storage Server
 
 
 Boot Manager (bootmgr)
-6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497
+6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497
 1004
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
      
+FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
      
 
      
 Other algorithms: N/A
 
 
 Winload OS Loader (winload.exe)
-6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596
+6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596
 1005
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
      
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
      
 
      
 Other algorithms: MD5
 
 
 Code Integrity (ci.dll)
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005
+6.0.6001.18000 and 6.0.6002.18005
 1006
-FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
      
+FIPS approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
      
 
      
 Other algorithms: MD5
 
 
 Kernel Mode Security Support Provider Interface (ksecdd.sys)
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869
 1007
-FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      
+FIPS approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      
 
      
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)
      
 
      
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 Cryptographic Primitives Library (bcrypt.dll)
-6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872
+6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872
 1008
-FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      
+FIPS approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      
 
      
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
 
 
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005
+6.0.6001.18000 and 6.0.6002.18005
 1009
-FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
      
+FIPS approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
      
 
      
--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
+-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
 
 
 Enhanced Cryptographic Provider (RSAENH)
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005
+6.0.6001.22202 and 6.0.6002.18005
 1010
-FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
      
+FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
      
 
      
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
 
 
 
@@ -2032,22 +2039,22 @@ Validated Editions: Server, Storage Server
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
 5.2.3790.3959
 875
-
      FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)
      
-
      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4
      
+
      FIPS approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)
      
+
      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4
      
 
 
 Kernel Mode Cryptographic Module (FIPS.SYS)
 5.2.3790.3959
 869
-
      FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)
      
+
      FIPS approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)
      
 
      Other algorithms: DES; HMAC-MD5
      
 
 
 Enhanced Cryptographic Provider (RSAENH)
 5.2.3790.3959
 868
-
      FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)
      
-
      Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      
+
      FIPS approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)
      
+
      Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      
 
 
 
@@ -2073,7 +2080,7 @@ Validated Editions: Server, Storage Server
 Kernel Mode Cryptographic Module (FIPS.SYS)
 5.2.3790.1830 [SP1]
 405
-
      FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
      
+
      FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
      
 
      Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
      
 
      [1] x86
      
 [2] SP1 x86, x64, IA64
      
@@ -2082,7 +2089,7 @@ Validated Editions: Server, Storage Server
 Enhanced Cryptographic Provider (RSAENH)
 5.2.3790.1830 [Service Pack 1])
 382
-
      FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
      
+
      FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
      
 
      Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
      
 
      [1] x86
      
 [2] SP1 x86, x64, IA64
      
@@ -2091,7 +2098,7 @@ Validated Editions: Server, Storage Server
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
 5.2.3790.1830 [Service Pack 1]
 381
-
      FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
      
+
      FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
      
 
      Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
      
 
      [1] x86
      
 [2] SP1 x86, x64, IA64
      
@@ -2120,7 +2127,7 @@ Validated Editions: Server, Storage Server
 Kernel Mode Cryptographic Module (FIPS.SYS)
 5.2.3790.0
 405
-
      FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
      
+
      FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])
      
 
      Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)
      
 
      [1] x86
      
 [2] SP1 x86, x64, IA64
      
@@ -2129,7 +2136,7 @@ Validated Editions: Server, Storage Server
 Enhanced Cryptographic Provider (RSAENH)
 5.2.3790.0
 382
-
      FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
      
+
      FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])
      
 
      Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5
      
 
      [1] x86
      
 [2] SP1 x86, x64, IA64
      
@@ -2138,7 +2145,7 @@ Validated Editions: Server, Storage Server
 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
 5.2.3790.0
 381
-
      FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
      
+
      FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)
      
 
      Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40
      
 
      [1] x86
      
 [2] SP1 x86, x64, IA64
      
@@ -2169,15 +2176,15 @@ Validated Editions: Server, Storage Server
 Enhanced Cryptographic Provider
 7.00.2872 [1] and 8.00.6246 [2]
 2957
-
      FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)
      
-
      Allowed algorithms: HMAC-MD5; MD5; NDRNG
      
+
      FIPS approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)
      
+
      Allowed algorithms: HMAC-MD5, MD5, NDRNG
      
 
 
 Cryptographic Primitives Library (bcrypt.dll)
 7.00.2872 [1] and 8.00.6246 [2]
 2956
-
      FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)
      
-
      Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength
      
+
      FIPS approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)
      
+
      Allowed algorithms: MD5, NDRNG, RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength
      
 
 
 
@@ -2204,7 +2211,7 @@ Validated Editions: Server, Storage Server
 Enhanced Cryptographic Provider
 6.00.1937 [1] and 7.00.1687 [2]
 825
-
      FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])
      
+
      FIPS approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])
      
 
      Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES
      
 
 
@@ -2229,9 +2236,9 @@ Validated Editions: Server, Storage Server
 
 
 Outlook Cryptographic Provider (EXCHCSP)
-SR-1A (3821)SR-1A (3821)
+SR-1A (3821)
 110
-
      FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)
      
+
      FIPS approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)
      
 
      Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5
      
 
 
@@ -2320,7 +2327,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • 
 
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • 
 
    • Plain Text Length: 0-32
      • 
-
    • AAD Length: 0-65536
      • 
+
    • Additional authenticated data length: 0-65536
      • 
 
    • 
 
  • AES-CFB128:
    • 
 
    • 
@@ -2393,7 +2400,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
    • Key Lengths: 128, 192, 256 (bits)
      • 
 
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • 
 
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • 
-
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • 
+
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
      • 
 
    • 96 bit IV supported
      • 
 
    • 
 
  • AES-XTS:
    • 
@@ -2426,7 +2433,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
    • 
 
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
    • 
 
  • Plain Text Length: 0-32
    • 
-
  • AAD Length: 0-65536
    • 
+
  • Additional authenticated data length: 0-65536
    • 
 

 
  • AES-CFB128:
    • 
 
    • 
@@ -2499,7 +2506,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
    • Key Lengths: 128, 192, 256 (bits)
      • 
 
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • 
 
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • 
-
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • 
+
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
      • 
 
    • 96 bit IV supported
      • 
 
    • 
 
  • AES-XTS:
    • 
@@ -2532,7 +2539,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
    • 
 
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
    • 
 
  • Plain Text Length: 0-32
    • 
-
  • AAD Length: 0-65536
    • 
+
  • Additional authenticated data length: 0-65536
    • 
 
 
  • AES-CFB128:
    • 
 
    • 
@@ -2606,7 +2613,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
    • Key Lengths: 128, 192, 256 (bits)
      • 
 
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • 
 
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • 
-
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • 
+
    • Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)
      • 
 
    • 96 bit IV supported
      • 
 
    • 
 
  • AES-XTS:
    • 
@@ -2634,7 +2641,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Key Lengths: 128, 192, 256 (bits)
    • 
 
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • 
 
-
    AES Val#4902
    
+
    AES validation number 4902
    
 
    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900
    
 
    Version 10.0.15063.674
    
 
@@ -2646,7 +2653,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Key Lengths: 128, 192, 256 (bits)
    • 
 
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • 
 
-
    AES Val#4901
    
+
    AES validation number 4901
    
 
    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899
    
 
    Version 10.0.15254
    
 
@@ -2658,7 +2665,7 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Key Lengths: 128, 192, 256 (bits)
    • 
 
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • 
 
-
    AES Val#4897
    
+
    AES validation number 4897
    
 
    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898
    
 
    Version 10.0.16299
    
 
@@ -2669,9 +2676,9 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Tag Lengths: 128 (bits)
    • 
 
  • IV Lengths: 96 (bits)
    • 
 
  • Plain Text Length: 0-32
    • 
-
  • AAD Length: 0-65536
    • 
+
  • Additional authenticated data length: 0-65536
    • 
 
-
    AES Val#4902
    
+
    AES validation number 4902
    
 
    Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896
    
 
    Version 10.0.15063.674
    
 
@@ -2682,9 +2689,9 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Tag Lengths: 128 (bits)
    • 
 
  • IV Lengths: 96 (bits)
    • 
 
  • Plain Text Length: 0-32
    • 
-
  • AAD Length: 0-65536
    • 
+
  • Additional authenticated data length: 0-65536
    • 
 
-
    AES Val#4901
    
+
    AES validation number 4901
    
 
    Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895
    
 
    Version 10.0.15254
    
 
@@ -2695,9 +2702,9 @@ The following tables are organized by cryptographic algorithms with their modes,
 
  • Tag Lengths: 128 (bits)
    • 
 
  • IV Lengths: 96 (bits)
    • 
 
  • Plain Text Length: 0-32
    • 
-
  • AAD Length: 0-65536
    • 
+
  • Additional authenticated data length: 0-65536
    • 
 
-
    AES Val#4897
    
+
    AES validation number 4897
    
 
    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894
    
 
    Version 10.0.16299
    
 
@@ -2711,13 +2718,13 @@ The following tables are organized by cryptographic algorithms with their modes,
 
 
 
    KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)
    
-
    AES Val#4624
    
+
    AES validation number 4624
    
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626
    
 
    Version 10.0.15063
    
 
 
 
    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)
    
-
    AES Val#4624
    
+
    AES validation number 4624
    
 
     
    
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625
    
 
    Version 10.0.15063
    
@@ -2732,8 +2739,8 @@ The following tables are organized by cryptographic algorithms with their modes,
 
    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
    
 
    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    
 
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    
-
    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); AAD Lengths tested: (0, 1024, 8, 1016); 96BitIV_Supported
    
-
    GMAC_Supported
    
+
    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported
    
+
    GMAC supported
    
 
    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
    
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624
    
 
    Version 10.0.15063
    
@@ -2778,8 +2785,8 @@ The following tables are organized by cryptographic algorithms with their modes,
 
    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)
    
 
    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    
 (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    
-IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    
-GMAC_Supported
    
+IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    
+GMAC supported
    
 
    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064
    
 
    Version 10.0.14393
    
@@ -2794,25 +2801,25 @@ Version 10.0.14393
 
 
 
    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)
    
-
    AES Val#4064
    
+
    AES validation number 4064
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062
    
 
    Version 10.0.14393
    
 
 
 
    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)
    
-
    AES Val#4064
    
+
    AES validation number 4064
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061
    
 
    Version 10.0.14393
    
 
 
 
    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)
    
-
    AES Val#3629
    
+
    AES validation number 3629
    
 
    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652
    
 
    Version 10.0.10586
    
 
 
 
    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)
    
-
    AES Val#3629
    
+
    AES validation number 3629
    
 
    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653
    
 
    Version 10.0.10586
    
 
@@ -2830,8 +2837,8 @@ Version 10.0.10586
 
    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)
    
 
    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    
 (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    
-IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    
-GMAC_Supported
    
+IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    
+GMAC supported
    
 
    XTS((KS: XTS_128((e/d) (f)) KS: XTS_256((e/d) (f))
    
 
    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
    
 
    
@@ -2840,13 +2847,13 @@ GMAC_Supported
    
 
 
 
    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)
    
-
    AES Val#3497
    
+
    AES validation number 3497
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507
    
 
    Version 10.0.10240
    
 
 
 
    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)
    
-
    AES Val#3497
    
+
    AES validation number 3497
    
 
    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498
    
 
    Version 10.0.10240
    
 
@@ -2856,8 +2863,8 @@ GMAC_Supported
    
 
    CMAC(Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)
    
 
    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    
 (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    
-IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96BitIV_Supported
    
-GMAC_Supported
    
+IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported
    
+GMAC supported
    
 
    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))
    
 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    
 Version 10.0.10240
@@ -2880,8 +2887,8 @@ Version 10.0.10240
 
 
 
    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)
    
-
    AES Val#2832
    
-
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848
    
+
    AES validation number 2832
    
+
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848
    
 
    Version 6.3.9600
    
 
 
@@ -2889,26 +2896,26 @@ Version 10.0.10240
 
    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)
    
 
    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    
 
    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    
-
    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); AAD Lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96BitIV_Supported;
    
+
    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;
    
 OtherIVLen_Supported
    
-GMAC_Supported
    
-
    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
    
+GMAC supported
    
+
    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832
    
 
    Version 6.3.9600
    
 
 
 
    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    
-AES Val#2197
    
+AES validation number 2197
    
 
    CMAC (Generation/Verification) (KS: 128; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
    
-AES Val#2197
    
+AES validation number 2197
    
 
    GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    
 (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    
-IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); AAD Lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96BitIV_Supported
    
-GMAC_Supported
    
+IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
    
+GMAC supported
    
 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216
 
 
-
    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)
    
-
    AES Val#2196
    
+
    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)
    
+
    AES validation number 2196
    
 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198
 
 
@@ -2927,14 +2934,14 @@ GMAC_Supported
    
 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
 
 
-CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    
-AES Val#1168
+CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    
+AES validation number 1168
 
    Windows Server 2008 R2 and SP1 CNG algorithms #1187
    
 
    Windows 7 Ultimate and SP1 CNG algorithms #1178
    
 
 
-CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    
-AES Val#1168
+CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
    
+AES validation number 1168
 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177
 
 
@@ -2950,11 +2957,11 @@ AES #1168, vendor-affirmed
 
 
-CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
 Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
 
 
-CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
 
    Windows Server 2008 CNG algorithms #757
    
 
    Windows Vista Ultimate SP1 CNG algorithms #756
    
 
@@ -2995,7 +3002,7 @@ AES 
-CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4627)]
+CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]
 
    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556
    
 
    Version 10.0.15063
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4624)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555
    
 
    Version 10.0.15063
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4434)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]
 
    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433
    
 
    Version 7.00.2872
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4433)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]
 
    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432
    
 
    Version 8.00.6246
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4431)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430
    
 
    Version 7.00.2872
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4430)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429
    
 
    Version 8.00.6246
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4074)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)]
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222
    
 
    Version 10.0.14393
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4064)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217
    
 
    Version 10.0.14393
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3629)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]
 
    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955
    
 
    Version 10.0.10586
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3497)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]
 
    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868
    
 
    Version 10.0.10240
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2832)]
-
    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
    
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)]
+
    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489
    
 
    Version 6.3.9600
    
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2197)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)]
 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#2023)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)]
 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
 
 
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#1168)]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)]
 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
 
 
@@ -3280,26 +3287,26 @@ Deterministic Random Bit Generator (DRBG)
 
    PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]
    
 
    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
 
    KeyPairGen:   [(2048,256); (3072,256)]
    
-
    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    
+
    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
 
    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
-
    SHS: Val#3790
    
-
    DRBG: Val# 1555
    
+
    SHS: validation number 3790
    
+
    DRBG: validation number  1555
    
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223
    
 
    Version 10.0.15063
    
 
 
 FIPS186-4:
    
-PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    
-SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    
-SHS: Val# 3649
+PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    
+SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    
+SHS: validation number  3649
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188
    
 
    Version 7.00.2872
    
 
 
 FIPS186-4:
    
-PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    
-SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    
-SHS: Val#3648
+PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    
+SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    
+SHS: validation number 3648
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187
    
 
    Version 8.00.6246
    
 
@@ -3310,20 +3317,20 @@ PQG(gen)PARMS TESTED: [
    
 PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
 KeyPairGen:    [(2048,256); (3072,256)]
    
 SIG(gen)PARMS TESTED:   [(2048,256)
    
-SHA(256); (3072,256) SHA(256); ]
    
+SHA(256); (3072,256) SHA(256)]
    
 SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
-
    SHS: Val# 3347
    
-DRBG: Val# 1217
    
+
    SHS: validation number  3347
    
+DRBG: validation number  1217
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098
    
 
    Version 10.0.14393
    
 
 
 
    FIPS186-4:
    
 PQG(gen)    PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)] PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
-KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    
+KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
 SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
-
    SHS: Val# 3047
    
-DRBG: Val# 955
    
+
    SHS: validation number  3047
    
+DRBG: validation number  955
    
 
    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024
    
 
    Version 10.0.10586
    
 
@@ -3332,9 +3339,9 @@ DRBG: Val# 2886
    
-DRBG: Val# 868
    
+SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)] SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
+
    SHS: validation number  2886
    
+DRBG: validation number  868
    
 
    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983
    
 
    Version 10.0.10240
    
 
@@ -3345,11 +3352,11 @@ PQG(gen)PARMS TESTED:   [
    
 PQG(ver)PARMS TESTED:   [(2048,256)
    
 SHA(256); (3072,256) SHA(256)]
    
 KeyPairGen:    [(2048,256); (3072,256)]
    
-SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    
+SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
 SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    
-
    SHS: Val# 2373
    
-DRBG: Val# 489
    
-
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
    
+
    SHS: validation number  2373
    
+DRBG: validation number  489
    
+
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855
    
 
    Version 6.3.9600
    
 
 
@@ -3361,11 +3368,11 @@ DRBG: #1903
    
 DRBG: #258
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 687.
    
 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
 
 
@@ -3374,75 +3381,75 @@ PQG(ver) MOD(1024);
    
 SIG(ver) MOD(1024);
    
 SHS: #1902
    
 DRBG: #258
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686.
 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 1773
    
-DRBG: Val# 193
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.
+SHS: validation number  1773
    
+DRBG: validation number  193
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 645.
 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 1081
    
-DRBG: Val# 23
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.
+SHS: validation number  1081
    
+DRBG: validation number  23
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 391. See Historical DSA List validation number 386.
 
    Windows Server 2008 R2 and SP1 CNG algorithms #391
    
 
    Windows 7 Ultimate and SP1 CNG algorithms #386
    
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 1081
    
-RNG: Val# 649
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.
+SHS: validation number  1081
    
+RNG: validation number  649
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 390. See Historical DSA List validation number 385.
 
    Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390
    
 
    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385
    
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 753
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.
+SHS: validation number  753
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 284. See Historical DSA List validation number 283.
 
    Windows Server 2008 CNG algorithms #284
    
 
    Windows Vista Ultimate SP1 CNG algorithms #283
    
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 753
    
-RNG: Val# 435
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.
+SHS: validation number  753
    
+RNG: validation number  435
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 282. See Historical DSA List validation number 281.
 
    Windows Server 2008 Enhanced DSS (DSSENH) #282
    
 
    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281
    
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 618
    
-RNG: Val# 321
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.
+SHS: validation number  618
    
+RNG: validation number  321
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 227. See Historical DSA List validation number 226.
 
    Windows Vista CNG algorithms #227
    
 
    Windows Vista Enhanced DSS (DSSENH) #226
    
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 784
    
-RNG: Val# 448
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.
+SHS: validation number  784
    
+RNG: validation number  448
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 292.
 Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
 
 
 FIPS186-2:
    
 SIG(ver)     MOD(1024);
    
-SHS: Val# 783
    
-RNG: Val# 447
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.
+SHS: validation number  783
    
+RNG: validation number  447
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 291.
 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
 
 
@@ -3452,8 +3459,8 @@ PQG(gen) MOD(1024);
    
 KEYGEN(Y) MOD(1024);
    
 SIG(gen) MOD(1024);
    
 SIG(ver) MOD(1024);
    
-SHS: Val# 611
    
-RNG: Val# 314
+SHS: validation number  611
    
+RNG: validation number  314
 Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
 
 
@@ -3463,7 +3470,7 @@ PQG(gen) MOD(1024);
    
 KEYGEN(Y) MOD(1024);
    
 SIG(gen) MOD(1024);
    
 SIG(ver) MOD(1024);
    
-SHS: Val# 385
+SHS: validation number  385
 Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
 
 
@@ -3472,7 +3479,7 @@ PQG(ver) MOD(1024);
    
 KEYGEN(Y) MOD(1024);
    
 SIG(gen) MOD(1024);
    
 SIG(ver) MOD(1024);
    
-SHS: Val# 181
    
+SHS: validation number  181
    
 
    
 
 Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
@@ -3548,7 +3555,7 @@ SHS: SHA-1 (BYTE)
    
 
 
 
    Prerequisite: SHS #2373, DRBG #489
    
-
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
    
+
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263
    
 
    Version 6.3.9600
    
 
 
@@ -3794,8 +3801,8 @@ SHS: SHA-1 (BYTE)
    
 
 FIPS186-4:
    
 PKG: CURVES    (P-256 P-384 TestingCandidates)
    
-SHS: Val#3790
    
-DRBG: Val# 1555
+SHS: validation number 3790
    
+DRBG: validation number  1555
 
    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136
    
 
    Version 10.0.15063
    
 
@@ -3805,8 +3812,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    
 PKV: CURVES(P-256 P-384 P-521)
    
 SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    
 SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    
-SHS: Val#3790
    
-DRBG: Val# 1555
+SHS: validation number 3790
    
+DRBG: validation number  1555
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135
    
 
    Version 10.0.15063
    
 
@@ -3816,8 +3823,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    
 PKV: CURVES(P-256 P-384 P-521)
    
 SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    
 SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    
-SHS: Val#3790
    
-DRBG: Val# 1555
+SHS: validation number 3790
    
+DRBG: validation number  1555
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133
    
 
    Version 10.0.15063
    
 
@@ -3827,8 +3834,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    
 PKV: CURVES(P-256 P-384 P-521)
    
 SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    
 SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    
-SHS:Val# 3649
    
-DRBG:Val# 1430
+SHS:validation number  3649
    
+DRBG:validation number  1430
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073
    
 
    Version 7.00.2872
    
 
@@ -3838,8 +3845,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    
 PKV: CURVES(P-256 P-384 P-521)
    
 SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    
 SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    
-SHS:Val#3648
    
-DRBG:Val# 1429
+SHS:validation number 3648
    
+DRBG:validation number  1429
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072
    
 
    Version 8.00.6246
    
 
@@ -3849,8 +3856,8 @@ PKG: CURVES(P-256 P-384 TestingCandidates)
    
 PKV: CURVES(P-256 P-384)
    
 SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    
 SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))
    
-
    SHS: Val# 3347
    
-DRBG: Val# 1222
    
+
    SHS: validation number  3347
    
+DRBG: validation number  1222
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920
    
 
    Version 10.0.14393
    
 
@@ -3860,8 +3867,8 @@ PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    
 PKV: CURVES(P-256 P-384 P-521)
    
 SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    
 SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    
-
    SHS: Val# 3347
    
-DRBG: Val# 1217
    
+
    SHS: validation number  3347
    
+DRBG: validation number  1217
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911
    
 
    Version 10.0.14393
    
 
@@ -3870,8 +3877,8 @@ DRBG: Val# 3047
    
-DRBG: Val# 955
    
+
    SHS: validation number  3047
    
+DRBG: validation number  955
    
 
    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760
    
 
    Version 10.0.10586
    
 
@@ -3880,8 +3887,8 @@ DRBG: Val# 2886
    
-DRBG: Val# 868
    
+
    SHS: validation number  2886
    
+DRBG: validation number  868
    
 
    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706
    
 
    Version 10.0.10240
    
 
@@ -3890,9 +3897,9 @@ DRBG: Val#2373
    
-DRBG: Val# 489
    
-
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
    
+
    SHS: validation number 2373
    
+DRBG: validation number  489
    
+
    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505
    
 
    Version 6.3.9600
    
 
 
@@ -3900,7 +3907,7 @@ DRBG: #1903
    
 DRBG: #258
    
-SIG(ver):CURVES(P-256 P-384 P-521)
    
+SIG(ver): CURVES(P-256 P-384 P-521)
    
 SHS: #1903
    
 DRBG: #258
    
 
    FIPS186-4:
    
@@ -3909,57 +3916,57 @@ PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    
 SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    
 SHS: #1903
    
 DRBG: #258
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 341.
    
 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341
 
 
 
    FIPS186-2:
    
 PKG: CURVES    (P-256 P-384 P-521)
    
-SHS: Val#1773
    
-DRBG: Val# 193
    
+SHS: validation number 1773
    
+DRBG: validation number  193
    
 SIG(ver): CURVES(P-256 P-384 P-521)
    
-SHS: Val#1773
    
-DRBG: Val# 193
    
+SHS: validation number 1773
    
+DRBG: validation number  193
    
 
    FIPS186-4:
    
 PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    
 SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    
 SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    
-SHS: Val#1773
    
-DRBG: Val# 193
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.
    
+SHS: validation number 1773
    
+DRBG: validation number  193
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.
    
 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
 
 
 FIPS186-2:
    
 PKG: CURVES    (P-256 P-384 P-521)
    
-SHS: Val#1081
    
-DRBG: Val# 23
    
+SHS: validation number 1081
    
+DRBG: validation number  23
    
 SIG(ver): CURVES(P-256 P-384 P-521)
    
-SHS: Val#1081
    
-DRBG: Val# 23
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.
+SHS: validation number 1081
    
+DRBG: validation number  23
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 142. See Historical ECDSA List validation number 141.
 
    Windows Server 2008 R2 and SP1 CNG algorithms #142
    
 
    Windows 7 Ultimate and SP1 CNG algorithms #141
    
 
 
 FIPS186-2:
    
 PKG: CURVES    (P-256 P-384 P-521)
    
-SHS: Val#753
    
+SHS: validation number 753
    
 SIG(ver): CURVES(P-256 P-384 P-521)
    
-SHS: Val#753
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.
+SHS: validation number 753
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 83. See Historical ECDSA List validation number 82.
 
    Windows Server 2008 CNG algorithms #83
    
 
    Windows Vista Ultimate SP1 CNG algorithms #82
    
 
 
 FIPS186-2:
    
 PKG: CURVES    (P-256 P-384 P-521)
    
-SHS: Val#618
    
-RNG: Val# 321
    
+SHS: validation number 618
    
+RNG: validation number  321
    
 SIG(ver): CURVES(P-256 P-384 P-521)
    
-SHS: Val#618
    
-RNG: Val# 321
    
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.
+SHS: validation number 618
    
+RNG: validation number  321
    
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 60.
 Windows Vista CNG algorithms #60
 
 
@@ -4122,111 +4129,111 @@ Some of the previously validated components for this validation have been remove
 
    Version 10.0.16299
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3790
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3790
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790
    
 
    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062
    
 
    Version 10.0.15063
    
 
 
-
    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS Val#3790
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#3790
    
+
    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS validation number 3790
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3790
    
 
    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061
    
 
    Version 10.0.15063
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3652
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3652
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3652
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3652
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3652
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3652
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3652
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3652
    
 
    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946
    
 
    Version 7.00.2872
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3651
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3651
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3651
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3651
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3651
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3651
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3651
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3651
    
 
    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945
    
 
    Version 8.00.6246
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3649
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3649
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3649
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal# 3649
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number  3649
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number  3649
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number  3649
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number  3649
    
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943
    
 
    Version 7.00.2872
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3648
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3648
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3648
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3648
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3648
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3648
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3648
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3648
    
 
    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942
    
 
    Version 8.00.6246
    
 
 
 
    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    
-SHS Val# 3347
    
+SHS validation number  3347
    
 
    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    
-SHS Val# 3347
    
+SHS validation number  3347
    
 
    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    
-SHS Val# 3347
    
+SHS validation number  3347
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661
    
 
    Version 10.0.14393
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3347
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3347
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3347
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val# 3347
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number  3347
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number  3347
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number  3347
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number  3347
    
 
    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651
    
 
    Version 10.0.14393
    
 
 
 
    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    
-SHS Val# 3047
    
+SHS validation number  3047
    
 
    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    
-SHS Val# 3047
    
+SHS validation number  3047
    
 
    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    
-SHS Val# 3047
    
+SHS validation number  3047
    
 
    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    
-SHS Val# 3047
    
+SHS validation number  3047
    
 
    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381
    
 
    Version 10.0.10586
    
 
 
 
    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    
-SHSVal# 2886
    
+SHSvalidation number  2886
    
 
    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    
-SHSVal# 2886
    
+SHSvalidation number  2886
    
 
    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    
- SHSVal# 2886
    
+ SHSvalidation number  2886
    
 
    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    
-SHSVal# 2886
    
+SHSvalidation number  2886
    
 
    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233
    
 
    Version 10.0.10240
    
 
 
 
    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    
-SHS Val#2373
    
+SHS validation number 2373
    
 
    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    
-SHS Val#2373
    
+SHS validation number 2373
    
 
    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    
-SHS Val#2373
    
+SHS validation number 2373
    
 
    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    
-SHS Val#2373
    
-
    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
    
+SHS validation number 2373
    
+
    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773
    
 
    Version 6.3.9600
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#2764
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#2764
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#2764
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#2764
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 2764
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 2764
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 2764
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 2764
    
 
    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122
    
 
    Version 5.2.29344
    
 
@@ -4254,133 +4261,133 @@ SHS 1345
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1773
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1773
    
-
    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1773
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1773
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1773
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773
    
+
    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773
    
 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1774
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1774
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1774
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1774
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1774
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774
    
 Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1081
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1081
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1081
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1081
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1081
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081
    
 
    Windows Server 2008 R2 and SP1 CNG algorithms #686
    
 
    Windows 7 and SP1 CNG algorithms #677
    
 
    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687
    
 
    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673
    
 
 
-
    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSVal#1081
    
+
    HMAC-SHA1(Key Sizes Ranges Tested: KSvalidation number 1081
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 1081
    
 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#816
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#816
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#816
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#816
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 816
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 816
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 816
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 816
    
 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSVal#753
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 753
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 753
    
 Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS Val#753
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS validation number 753
    
 
    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408
    
 
    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSVal#618
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSvalidation number 618
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618
    
 Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
 
 
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#785
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 785
 
    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429
    
 
    Windows XP, vendor-affirmed
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#783
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#783
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#783
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#783
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 783
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 783
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 783
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 783
    
 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#613
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#613
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#613
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#613
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 613
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 613
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 613
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 613
    
 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
 
 
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#610
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 610
 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#753
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 753
    
 
    Windows Server 2008 CNG algorithms #413
    
 
    Windows Vista Ultimate SP1 CNG algorithms #412
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSVal#737
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 737
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 737
    
 Windows Vista Ultimate BitLocker Drive Encryption #386
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#618
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 618
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618
    
 Windows Vista CNG algorithms #298
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#589
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSVal#589
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#589
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#589
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 589
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSvalidation number 589
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 589
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 589
    
 Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#578
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#578
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#578
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#578
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 578
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 578
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 578
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 578
    
 Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSVal#495
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 495
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 495
    
 Windows Vista BitLocker Drive Encryption #199
 
 
-HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#364
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 364
 
    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99
    
 
    Windows XP, vendor-affirmed
    
 
 
-
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#305
    
-
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#305
    
-
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#305
    
-
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#305
    
+
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 305
    
+
    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 305
    
+
    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 305
    
+
    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 305
    
 Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
 
 
@@ -4500,7 +4507,7 @@ SHS 
 
 
-
  • One Pass DH:
    • 
+
  • One-Pass DH:
    •