From 8fd3ea615eb50a84a595b417ee8daf3d601e398a Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 9 Apr 2024 13:42:47 -0700 Subject: [PATCH 01/12] Reliability report --- windows/deployment/windows-autopatch/TOC.yml | 2 + ...ity-and-feature-update-reports-overview.md | 1 + .../windows-autopatch-reliability-report.md | 120 ++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100644 windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 619348bcdd..3e1a68db6b 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -90,6 +90,8 @@ href: operate/windows-autopatch-groups-windows-quality-update-status-report.md - name: Quality update trending report href: operate/windows-autopatch-groups-windows-quality-update-trending-report.md + - name: Reliability report + href: operate/windows-autopatch-reliability-report.md - name: Windows feature update reports href: items: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md index 91f758db48..9d5cd07373 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md @@ -33,6 +33,7 @@ The Windows quality report types are organized into the following focus areas: | ----- | ----- | | Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) provide the current update status summary for all devices.

The [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) provides the current update status of all devices at the device level. | | Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) provides the update status trend of all devices over the last 90 days. | +| [Reliability report](../operate/windows-autopatch-reliability-report.md) | The Reliability report provides a reliability score for each Windows quality update cycle based on stop error codes detected on managed devices. | ## Windows feature update reports diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md new file mode 100644 index 0000000000..f019997bf1 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md @@ -0,0 +1,120 @@ +--- +title: Reliability report +description: This article describes the reliability score for each Windows quality update cycle based on stop error codes detected on managed devices. +ms.date: 04/09/2024 +ms.service: windows-client +ms.subservice: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: aaroncz +ms.reviewer: hathind +ms.collection: + - highpri + - tier1 +--- + +# Reliability report (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. It's being actively developed, and might not be complete. + +The Reliability report provides a reliability score for each Windows quality update cycle based on [stop error codes](https://learn.microsoft.com/troubleshoot/windows-client/performance/stop-error-or-blue-screen-error-troubleshooting) detected on managed devices. Scores are determined at both the service and tenant level. Details on modules associated with stop error codes at the tenant level are provided to better understand how devices are affected. + +> [!NOTE] +> **The Reliability report applies to quality updates only**. The Reliability report doesn't currently support Windows feature updates.

Scores used in this report are calculated based on devices running both Windows 10 and Windows 11 versions.

+ +With this feature, IT admins can access the following information: + +| Information type | Description | +| ----- | ----- | +| Your score | **Your score** is a calculated tenant reliability score based on stop error codes detected on managed devices that updated successfully during the current update cycle. **Your score** is the latest single-day score in the current Windows quality update cycle. The monthly score values can be viewed under the **Trending** tab. | +| Baseline | Use the **Baseline** to compare your score with past quality update cycles. You can choose the desired historical record from the **Comparison baseline** dropdown menu at the top of the page. **Baseline** is a single-day score calculated the same number of days from the start of patching as your score. | +| Service-level | Use the **Service-level** to compare **your score** with a score computed across tenants in the Azure Data Scale Unit covering your geographic region. **Service-level** is a single-day score calculated the same number of days from the start of patching as **your score**. | +| Score details | **Score details** provides information about specific modules associated with stop error code occurrence, occurrence rate, and affected devices. View single-day or multi-day results by selecting from the **Duration** menu. Data can be exported for offline reference. | +| Trending | **Trending** provides a graphical visualization of reliability scores at both tenant and service level on a customizable timeline of 1 - 12 months. Monthly scores represent the aggregated value for a complete update cycle (second Tuesday of the month). | +| Insights | **Insights** identifies noteworthy trends that might be useful in implementing reliability improvement opportunities. | +| Affected devices | **Affected devices** are the number of unique devices associated with stop error code events. | + +## Report availability + +The Reliability report relies on device policies being configured properly. It's important to confirm that the minimum requirements are met to access the full Reliability report. + +| Data collection policies set | Devices registered in Autopatch | Devices updated | Report availability | +| ----- | ------ | ----- | ----- | +| No | - | - | No report available.

In this state, a ribbon appears on the landing page alerting the user that the diagnostic data needed to generate a report appears to be turned off. The report is available 24 and 48 hours after the following conditions are met:

| +| Yes | 0 | - | The report includes only the historical comparison baseline and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. | +| Yes | 0 < n < 100 | 0 < n < 100 | The report includes module failure details, historical comparison baseline, and service-level score. The tenant score is unavailable until 100 devices are updated. | +| Yes | n >= 100 | n >= 100 | The report includes module failure details, historical comparison baseline score, and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. | +| Yes | n >= 100 | n >= 100 | Full reporting available | + +## View the Reliability report + +**To view the Reliability report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. +3. Select the **Reports** tab. +4. Select **Reliability report**. + +> [!NOTE] +> To use the Reliability report capability, ensure that at least 100 devices are registered in the Windows Autopatch service and capable of successfully completing a quality update. The report relies on device stop error code data being available to Microsoft (transmission of this data may take up to 24 hours).

A score is generated when:

Windows Autopatch data collection must be enabled according to the [configuration policies](../references/windows-autopatch-changes-to-tenant.md#device-configuration-policies) set during tenant onboarding. For more information about data collection, see [Privacy](../overview/windows-autopatch-privacy.md)

+ +## Report information + +The following information is available as default columns in the Reliability report: + +> [!NOTE] +> The report is refreshed no more than once every 24 hours with data received from your Windows Autopatch managed devices. Manual data refresh is not supported. The last refreshed date and time can be found at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). + +### Score details + +| Column | Description | +| ----- | ----- | +| Module name | Name of module associated with stop error code detection. | +| Version | Version of module associated with stop error code detection. | +| Unique devices | Number of unique devices seeing a stop error code occurrence associated with a specific module name and version. This information is hyperlinked to the **Devices affected** flyout. | +| Total events | Total number of stop error codes detected associated with a specific module name and version. | +| Module score impact | **Your score** associated with specific module name and version. | +| Timeline | This information is hyperlinked to **Module details** flyout. | + +### Export file + +| Column | Description | +| ----- | ----- | +| DeviceName | Device name | +| MicrosoftEntraDeviceId | Microsoft Entra device ID | +| Model | Device model | +| Manufacturer | Device manufacturer | +| AutopatchGroup | Autopatch group assignment for the affected device | +| LatestOccurrence | Time of the most recent reported failure | +| WindowsVersion | Windows version (Windows 10 or Windows 11) | +| OSVersion | OS version | +| ModuleName | Name of the module associated with stop error code detection | +| Version | Version of the module associated with stop error code detection | +| BugCheckCode | Bug check code associated with stop error code | +| TenantId | Your Microsoft Entra tenant ID | + +### Devices affected + +| Column | Description | +| ----- | ----- | +| Device name | Device name | +| Microsoft Entra device ID | Microsoft Entra device ID | +| Model | Device model | +| Manufacturer | Device manufacturer | +| Autopatch group | Autopatch group assignment for the affected device | +| Latest occurrence | Time of the most recent reported failure | + +### Module details + +| Display selection | Description | +| ----- | ----- | +| Unique devices | Number of unique devices affected by module failure and the associated version | +| Total events | Number of occurrences by module failure and the associated version | +| Module impact | Score impact by module and version representing the relative importance of module failure. Higher positive values describe module failures that have a greater impact on the tenant and should be addressed with higher priority. Negative values describe module failures that have a lower-than-average impact on the tenant and thus can be treated with lower priority. Values around `0` describe module failures with average impact on the tenant. | + +## Known limitations + +The Reliability report supports tenant and service-level score data going back to September 2023. Data before that date isn't supported. A full 12 months of score data will be available to select from the menu dropdowns in September 2024. From e26cdd1bd79c6eb4656a9016085df139a871855a Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 9 Apr 2024 13:58:36 -0700 Subject: [PATCH 02/12] Whats new --- .../whats-new/windows-autopatch-whats-new-2024.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md index af55139038..48eebce969 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md @@ -27,7 +27,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) | Added [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) feature | +| [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the[Reliability report](../operate/windows-autopatch-reliability-report.md) feature | +| [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) | Added the [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) feature | ## February 2024 From 16c6d1b1020d0d568edc7c925e6713c3902bf3a9 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 9 Apr 2024 14:41:10 -0700 Subject: [PATCH 03/12] tweak --- .../whats-new/windows-autopatch-whats-new-2024.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md index 48eebce969..8144875c9e 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md @@ -27,7 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the[Reliability report](../operate/windows-autopatch-reliability-report.md) feature | +| [Reliability report](../operate/windows-autopatch-reliability-report.md) | Added the [Reliability report](../operate/windows-autopatch-reliability-report.md) feature | | [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) | Added the [Resolve policy conflicts](../operate/windows-autopatch-resolve-policy-conflicts.md) feature | ## February 2024 From 5a0a5d22adb641320b3bc060246c4d1be067a353 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 10 Apr 2024 10:31:14 -0600 Subject: [PATCH 04/12] CSP Updates 2403 --- .../mdm/activesync-ddf-file.md | 4 +- .../mdm/applocker-ddf-file.md | 4 +- .../mdm/assignedaccess-csp.md | 4 +- .../mdm/assignedaccess-ddf.md | 6 +- .../mdm/bitlocker-ddf-file.md | 26 ++-- .../mdm/clientcertificateinstall-csp.md | 94 ++++++++++++- .../mdm/clientcertificateinstall-ddf-file.md | 126 ++++++++++++++---- .../mdm/declaredconfiguration-ddf-file.md | 4 +- .../mdm/devdetail-ddf-file.md | 4 +- .../mdm/devicemanageability-ddf.md | 4 +- .../mdm/devicepreparation-csp.md | 29 +++- .../mdm/devicepreparation-ddf-file.md | 32 ++++- .../client-management/mdm/devicestatus-ddf.md | 4 +- .../client-management/mdm/devinfo-ddf-file.md | 4 +- .../mdm/diagnosticlog-ddf.md | 4 +- windows/client-management/mdm/dmacc-csp.md | 4 +- .../client-management/mdm/dmacc-ddf-file.md | 4 +- windows/client-management/mdm/dmclient-csp.md | 10 +- .../mdm/dmclient-ddf-file.md | 8 +- .../client-management/mdm/email2-ddf-file.md | 4 +- ...enterprisedesktopappmanagement-ddf-file.md | 6 +- .../mdm/enterprisemodernappmanagement-csp.md | 4 +- .../mdm/enterprisemodernappmanagement-ddf.md | 8 +- .../client-management/mdm/euiccs-ddf-file.md | 4 +- .../mdm/firewall-ddf-file.md | 5 +- .../mdm/language-pack-management-ddf-file.md | 4 +- .../client-management/mdm/laps-ddf-file.md | 4 +- .../client-management/mdm/networkproxy-ddf.md | 4 +- .../mdm/networkqospolicy-ddf.md | 4 +- .../mdm/nodecache-ddf-file.md | 6 +- windows/client-management/mdm/office-ddf.md | 6 +- .../mdm/passportforwork-csp.md | 10 +- .../mdm/passportforwork-ddf.md | 16 +-- .../mdm/personaldataencryption-ddf-file.md | 4 +- .../mdm/personalization-csp.md | 12 +- .../mdm/personalization-ddf.md | 16 +-- .../mdm/policies-in-policy-csp-admx-backed.md | 12 +- ...in-policy-csp-supported-by-group-policy.md | 6 +- .../mdm/policy-csp-abovelock.md | 4 +- .../mdm/policy-csp-admx-help.md | 104 +-------------- .../mdm/policy-csp-admx-startmenu.md | 4 +- .../mdm/policy-csp-applicationmanagement.md | 6 +- .../mdm/policy-csp-browser.md | 6 +- .../mdm/policy-csp-connectivity.md | 6 +- .../mdm/policy-csp-devicelock.md | 6 +- .../mdm/policy-csp-experience.md | 10 +- .../mdm/policy-csp-remotedesktopservices.md | 74 +++++----- .../mdm/policy-csp-search.md | 4 +- .../mdm/policy-csp-security.md | 6 +- .../client-management/mdm/policy-csp-sudo.md | 27 ++-- .../mdm/policy-csp-systemservices.md | 36 ++--- .../mdm/policy-csp-timelanguagesettings.md | 4 +- .../mdm/policy-csp-windowslogon.md | 6 +- .../mdm/printerprovisioning-ddf-file.md | 4 +- .../client-management/mdm/reboot-ddf-file.md | 4 +- .../mdm/rootcacertificates-ddf-file.md | 6 +- .../mdm/secureassessment-ddf-file.md | 4 +- .../mdm/sharedpc-ddf-file.md | 4 +- .../client-management/mdm/supl-ddf-file.md | 4 +- .../client-management/mdm/vpnv2-ddf-file.md | 6 +- .../client-management/mdm/wifi-ddf-file.md | 6 +- ...indowsdefenderapplicationguard-ddf-file.md | 4 +- .../mdm/windowslicensing-ddf-file.md | 4 +- .../mdm/wirednetwork-ddf-file.md | 6 +- 64 files changed, 494 insertions(+), 371 deletions(-) diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index b32ae659db..b48213ce4d 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -1,7 +1,7 @@ --- title: ActiveSync DDF file description: View the XML file containing the device description framework (DDF) for the ActiveSync configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 11f10bf906..f712663818 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,7 +1,7 @@ --- title: AppLocker DDF file description: View the XML file containing the device description framework (DDF) for the AppLocker configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index df25725c5a..cc69b6bb5a 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -1,7 +1,7 @@ --- title: AssignedAccess CSP description: Learn more about the AssignedAccess CSP. -ms.date: 02/29/2024 +ms.date: 04/10/2024 --- @@ -14,7 +14,6 @@ ms.date: 02/29/2024 The AssignedAccess configuration service provider (CSP) is used to configure a kiosk or restricted user experience. Once the CSP is executed, the next user login that is associated with the Assigned Access profile puts the device into the kiosk mode specified in the CSP configuration. To learn more about how to configure Assigned Access, see [Configure kiosks and restricted user experiences](/windows/configuration/assigned-access). - @@ -51,7 +50,6 @@ This node accepts an AssignedAccessConfiguration xml as input. To learn how to configure xml file, see [Create an Assigned Access configuration XML file](/windows/configuration/assigned-access/configuration-file) - diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index f5e0e84d26..5b113fb30f 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,7 +1,7 @@ --- title: AssignedAccess DDF file description: View the XML file containing the device description framework (DDF) for the AssignedAccess configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -54,7 +54,7 @@ The following XML file contains the device description framework (DDF) for the A This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. -Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 5f89c0bace..738dea71d0 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,7 +1,7 @@ --- title: BitLocker DDF file description: View the XML file containing the device description framework (DDF) for the BitLocker configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the B 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -142,7 +142,7 @@ The following XML file contains the device description framework (DDF) for the B If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.” The format is string. Sample value for this node to enable this policy and set the encryption methods is: - + EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. @@ -194,7 +194,7 @@ The following XML file contains the device description framework (DDF) for the B Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. The format is string. Sample value for this node to enable this policy is: - + ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) All of the below settings are for computers with a TPM. @@ -250,7 +250,7 @@ The following XML file contains the device description framework (DDF) for the B NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. The format is string. Sample value for this node to enable this policy is: - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: @@ -291,7 +291,7 @@ The following XML file contains the device description framework (DDF) for the B Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: 0 = Empty @@ -344,7 +344,7 @@ The following XML file contains the device description framework (DDF) for the B If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -402,7 +402,7 @@ The following XML file contains the device description framework (DDF) for the B If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -454,7 +454,7 @@ The following XML file contains the device description framework (DDF) for the B If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. The format is string. Sample value for this node to enable this policy is: - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: @@ -495,7 +495,7 @@ The following XML file contains the device description framework (DDF) for the B Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -575,7 +575,7 @@ The following XML file contains the device description framework (DDF) for the B require reinstallation of Windows. Note: This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. The format is integer. - The expected values for this policy are: + The expected values for this policy are: 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, @@ -623,7 +623,7 @@ The following XML file contains the device description framework (DDF) for the B If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. - The expected values for this policy are: + The expected values for this policy are: 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy @@ -741,7 +741,7 @@ The policy only comes into effect when Active Directory backup for a recovery pa * status\RotateRecoveryPasswordsStatus * status\RotateRecoveryPasswordsRequestID - + Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\ diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index af84e44ec7..89b0a33e28 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,7 +1,7 @@ --- title: ClientCertificateInstall CSP description: Learn more about the ClientCertificateInstall CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -9,6 +9,8 @@ ms.date: 01/31/2024 # ClientCertificateInstall CSP +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. @@ -38,6 +40,7 @@ The following list shows the ClientCertificateInstall configuration service prov - [ErrorCode](#devicescepuniqueiderrorcode) - [Install](#devicescepuniqueidinstall) - [AADKeyIdentifierList](#devicescepuniqueidinstallaadkeyidentifierlist) + - [AttestPrivateKey](#devicescepuniqueidinstallattestprivatekey) - [CAThumbprint](#devicescepuniqueidinstallcathumbprint) - [Challenge](#devicescepuniqueidinstallchallenge) - [ContainerName](#devicescepuniqueidinstallcontainername) @@ -76,6 +79,7 @@ The following list shows the ClientCertificateInstall configuration service prov - [ErrorCode](#userscepuniqueiderrorcode) - [Install](#userscepuniqueidinstall) - [AADKeyIdentifierList](#userscepuniqueidinstallaadkeyidentifierlist) + - [AttestPrivateKey](#userscepuniqueidinstallattestprivatekey) - [CAThumbprint](#userscepuniqueidinstallcathumbprint) - [Challenge](#userscepuniqueidinstallchallenge) - [ContainerName](#userscepuniqueidinstallcontainername) @@ -828,6 +832,45 @@ Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon sepa + +##### Device/SCEP/{UniqueID}/Install/AttestPrivateKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AttestPrivateKey +``` + + + + +Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Get | + + + + + + + + ##### Device/SCEP/{UniqueID}/Install/CAThumbprint @@ -2402,6 +2445,55 @@ Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon sepa + +##### User/SCEP/{UniqueID}/Install/AttestPrivateKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AttestPrivateKey +``` + + + + +Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Don't attest private key. | +| 1 | Attest key, but in case attestation failed, best effort approach - CSR is sent to the server. | +| 2 | Attest key, but in case attestation failed, fail fast (i.e release the key and not issue a CSR to the server). | + + + + + + + + ##### User/SCEP/{UniqueID}/Install/CAThumbprint diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 7648af9a26..2d9b0700a3 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -1,7 +1,7 @@ --- title: ClientCertificateInstall DDF file description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -72,8 +72,8 @@ The following XML file contains the device description framework (DDF) for the C - Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. -Format is node. + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. @@ -143,7 +143,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. @@ -169,7 +169,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this - Required. + Required. CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. @@ -227,7 +227,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/ 0 Optional. Used to specify if the PFX certificate password is encrypted with a certificate. -If the value is +If the value is 0 - Password is not encrypted 1- Password is encrypted using the MDM certificate by the MDM server 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. @@ -353,7 +353,7 @@ If the value is - Optional. + Optional. When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. @@ -413,7 +413,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the - Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. + Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. Calling Delete on the this node, should delete the corresponding SCEP certificate @@ -560,6 +560,46 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat + + AttestPrivateKey + + + + + + Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + 0 + Do not attest private key + + + 1 + Attest key, but in case attestation failed, best effort approach - CSR is sent to the server + + + 2 + Attest key, but in case attestation failed, fail fast (i.e release the key and not issue a CSR to the server) + + + + SubjectName @@ -596,7 +636,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat 3 - Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. + Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. SCEP enrolled cert doesn’t support TPM PIN protection. @@ -640,7 +680,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. 5 - Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is: 5 The min value is 1. @@ -725,7 +765,7 @@ The min value is 0 which means no retry. - Required for enrollment. Specify private key length (RSA). + Required for enrollment. Specify private key length (RSA). Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. @@ -764,7 +804,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. - Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. For NGC, only SHA256 is supported as the supported algorithm @@ -845,7 +885,7 @@ For NGC, only SHA256 is supported as the supported algorithm Days - Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. + Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -885,7 +925,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio 0 - Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -912,7 +952,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. @@ -1155,8 +1195,8 @@ Valid values are: - Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. -Format is node. + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. @@ -1226,7 +1266,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. @@ -1252,7 +1292,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this - Required. + Required. CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. @@ -1310,7 +1350,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/ 0 Optional. Used to specify if the PFX certificate password is encrypted with a certificate. -If the value is +If the value is 0 - Password is not encrypted 1- Password is encrypted using the MDM certificate by the MDM server 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. @@ -1436,7 +1476,7 @@ If the value is - Optional. + Optional. When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. @@ -1496,7 +1536,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the - Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. + Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. Calling Delete on the this node, should delete the corresponding SCEP certificate @@ -1643,6 +1683,34 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat + + AttestPrivateKey + + + + + + Defines the attest SCEP private key behavior 0 - normal, 1 - best effort, 2 - on error, fail the installation + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + + SubjectName @@ -1679,7 +1747,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat 3 - Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. + Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. SCEP enrolled cert doesn’t support TPM PIN protection. @@ -1723,7 +1791,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. 5 - Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is: 5 The min value is 1. @@ -1808,7 +1876,7 @@ The min value is 0 which means no retry. - Required for enrollment. Specify private key length (RSA). + Required for enrollment. Specify private key length (RSA). Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. @@ -1847,7 +1915,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. - Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. For NGC, only SHA256 is supported as the supported algorithm @@ -1928,7 +1996,7 @@ For NGC, only SHA256 is supported as the supported algorithm Days - Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. + Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -1968,7 +2036,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio 0 - Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. @@ -1995,7 +2063,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio - Optional. + Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md index 22f6c58926..95751f45be 100644 --- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md +++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md @@ -1,7 +1,7 @@ --- title: DeclaredConfiguration DDF file description: View the XML file containing the device description framework (DDF) for the DeclaredConfiguration configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D 99.9.99999 9.9 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index d51d3417ab..6f562d58b4 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -1,7 +1,7 @@ --- title: DevDetail DDF file description: View the XML file containing the device description framework (DDF) for the DevDetail configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index e8d4b8243d..cecd7dd921 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -1,7 +1,7 @@ --- title: DeviceManageability DDF file description: View the XML file containing the device description framework (DDF) for the DeviceManageability configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md index fee0e44a1b..b93cdfd164 100644 --- a/windows/client-management/mdm/devicepreparation-csp.md +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -1,7 +1,7 @@ --- title: DevicePreparation CSP description: Learn more about the DevicePreparation CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -184,6 +184,15 @@ This node indicates whether the MDM agent was installed or not. When set to true | Default Value | False | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Mdm Agent Not Installed. | +| true | Mdm Agent Installed. | + + @@ -263,6 +272,15 @@ This node indicates whether an MDM policy was provisioned that requires a reboot | Default Value | False | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | No Reboot Required. | +| true | Reboot Required. | + + @@ -303,6 +321,15 @@ This node determines whether to show the Device Preparation page during OOBE. | Default Value | false | + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Disable Page. | +| true | Enable Page. | + + diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index cdccc95934..06ec069113 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -1,7 +1,7 @@ --- title: DevicePreparation DDF file description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -64,6 +64,16 @@ The following XML file contains the device description framework (DDF) for the D + + + false + Disable Page + + + true + Enable Page + + @@ -320,6 +330,16 @@ The following XML file contains the device description framework (DDF) for the D + + + false + Mdm Agent Not Installed + + + true + Mdm Agent Installed + + @@ -342,6 +362,16 @@ The following XML file contains the device description framework (DDF) for the D + + + false + No Reboot Required + + + true + Reboot Required + + diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 5ddde61818..2eaff3d375 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,7 +1,7 @@ --- title: DeviceStatus DDF file description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 37290dd8ca..ff9195ba0d 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -1,7 +1,7 @@ --- title: DevInfo DDF file description: View the XML file containing the device description framework (DDF) for the DevInfo configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -41,7 +41,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 4b7a116020..9603fc932a 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -1,7 +1,7 @@ --- title: DiagnosticLog DDF file description: View the XML file containing the device description framework (DDF) for the DiagnosticLog configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 28cbe9c4f0..271a68b16e 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -1,7 +1,7 @@ --- title: DMAcc CSP description: Learn more about the DMAcc CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -709,7 +709,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get, Replace | -| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn`
Dependency URI: `Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel`
Dependency Allowed Value: `SRVCRED`
Dependency Allowed Value Type: `ENUM`
| +| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn`
Dependency URI: `SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel`
Dependency Allowed Value: `SRVCRED`
Dependency Allowed Value Type: `ENUM`
| diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 96ba92429a..331ce57c5d 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -1,7 +1,7 @@ --- title: DMAcc DDF file description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -527,7 +527,7 @@ The following XML file contains the device description framework (DDF) for the D - Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel + SyncML/DMAcc/{AccountUID}/AppAuth/{ObjectName}/AAuthLevel SRVCRED diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 535eaf637a..dec09993f5 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -1,7 +1,7 @@ --- title: DMClient CSP description: Learn more about the DMClient CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -632,7 +632,7 @@ This node, when it's set, tells the client to set how many minutes the device sh | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
✅ Windows 11, version 22H2 [10.0.22621.3235] and later
✅ Windows Insider Preview | @@ -671,7 +671,7 @@ Parent node for ConfigRefresh nodes. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
✅ Windows 11, version 22H2 [10.0.22621.3235] and later
✅ Windows Insider Preview | @@ -712,7 +712,7 @@ This node determines the number of minutes between refreshes. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
✅ Windows 11, version 22H2 [10.0.22621.3235] and later
✅ Windows Insider Preview | @@ -761,7 +761,7 @@ This node determines whether or not a periodic settings refresh for MDM policies | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000.2836] and later
✅ Windows 11, version 22H2 [10.0.22621.3235] and later
✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 64dd766397..dd09a2d66f 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,7 +1,7 @@ --- title: DMClient DDF file description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -477,7 +477,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -2958,7 +2958,7 @@ The following XML file contains the device description framework (DDF) for the D - 99.9.99999 + 99.9.99999, 10.0.22621.3235, 10.0.22000.2836 1.6 diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 2b9763c045..04e33d681e 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -1,7 +1,7 @@ --- title: EMAIL2 DDF file description: View the XML file containing the device description framework (DDF) for the EMAIL2 configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 3392fcb317..2ca8dc6240 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -1,7 +1,7 @@ --- title: EnterpriseDesktopAppManagement DDF file description: View the XML file containing the device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -400,7 +400,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 4369995a2e..831a924dde 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,7 +1,7 @@ --- title: EnterpriseModernAppManagement CSP description: Learn more about the EnterpriseModernAppManagement CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -4602,7 +4602,7 @@ Specifies HoursBetweenUpdateChecks for a specific package. | Property name | Property value | |:--|:--| -| Format | `bool` | +| Format | `int` | | Access Type | Get, Replace | | Allowed Values | Range: `[8-10000]` | | Default Value | 8 | diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 6afb253277..e60f2f2868 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -1,7 +1,7 @@ --- title: EnterpriseModernAppManagement DDF file description: View the XML file containing the device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -2587,7 +2587,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -4550,7 +4550,7 @@ The following XML file contains the device description framework (DDF) for the E 8 Specifies HoursBetweenUpdateChecks for a specific package - + diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 62059a7c7d..36803e6131 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -1,7 +1,7 @@ --- title: eUICCs DDF file description: View the XML file containing the device description framework (DDF) for the eUICCs configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -43,7 +43,7 @@ The following XML file contains the device description framework (DDF) for the e 10.0.16299 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 580516ab56..453ee21804 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -1,7 +1,7 @@ --- title: Firewall DDF file description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the F 10.0.16299 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -4337,6 +4337,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. + diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md index d2589cc4a8..af5086a30c 100644 --- a/windows/client-management/mdm/language-pack-management-ddf-file.md +++ b/windows/client-management/mdm/language-pack-management-ddf-file.md @@ -1,7 +1,7 @@ --- title: LanguagePackManagement DDF file description: View the XML file containing the device description framework (DDF) for the LanguagePackManagement configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the L 99.9.9999 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md index d347e57374..8ed3954967 100644 --- a/windows/client-management/mdm/laps-ddf-file.md +++ b/windows/client-management/mdm/laps-ddf-file.md @@ -1,7 +1,7 @@ --- title: LAPS DDF file description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the L 10.0.25145, 10.0.22621.1480, 10.0.22000.1754, 10.0.20348.1663, 10.0.19041.2784, 10.0.17763.4244 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index a7ee14b7ab..77e03cd531 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -1,7 +1,7 @@ --- title: NetworkProxy DDF file description: View the XML file containing the device description framework (DDF) for the NetworkProxy configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 16220bc01f..0a77596722 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -1,7 +1,7 @@ --- title: NetworkQoSPolicy DDF file description: View the XML file containing the device description framework (DDF) for the NetworkQoSPolicy configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.19042 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index 0dd13ab94a..80a2ad5119 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -1,7 +1,7 @@ --- title: NodeCache DDF file description: View the XML file containing the device description framework (DDF) for the NodeCache configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.15063 1.1 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -294,7 +294,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 1453b24f55..7714d02e5e 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -1,7 +1,7 @@ --- title: Office DDF file description: View the XML file containing the device description framework (DDF) for the Office configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the O 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -211,7 +211,7 @@ The following XML file contains the device description framework (DDF) for the O 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 6c581a7335..d9bd9dba10 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -1,7 +1,7 @@ --- title: PassportForWork CSP description: Learn more about the PassportForWork CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -197,8 +197,8 @@ Disable caching of the Windows Hello for Business credential after sign-in. | Value | Description | |:--|:--| -| false (Default) | Disabled. | -| true | Enabled. | +| false (Default) | Credential Caching Enabled. | +| true | Credential Caching Disabled. | @@ -246,8 +246,8 @@ Don't start Windows Hello provisioning after sign-in. | Value | Description | |:--|:--| -| false (Default) | Post Logon Provisioning Enabled. | -| true | Post Logon Provisioning Disabled. | +| false (Default) | Provisioning Enabled. | +| true | Provisioning Disabled. | diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 92e080ba93..0c1cf45b97 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -1,7 +1,7 @@ --- title: PassportForWork DDF file description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -565,7 +565,7 @@ If you do not configure this policy setting, Windows Hello for Business requires 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -876,11 +876,11 @@ If you disable or do not configure this policy setting, the PIN recovery secret false - Post Logon Provisioning Enabled + Provisioning Enabled true - Post Logon Provisioning Disabled + Provisioning Disabled @@ -915,11 +915,11 @@ If you disable or do not configure this policy setting, the PIN recovery secret false - Disabled + Credential Caching Enabled true - Enabled + Credential Caching Disabled @@ -934,7 +934,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret False - Windows Hello for Business can use certificates to authenticate to on-premise resources. + Windows Hello for Business can use certificates to authenticate to on-premise resources. If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index 8cd2a70919..f4f4cd55fc 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -1,7 +1,7 @@ --- title: PDE DDF file description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.22621 1.0 - 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF; + 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 614e47b8a9..bf0dff0947 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,7 +1,7 @@ --- title: Personalization CSP description: Learn more about the Personalization CSP. -ms.date: 03/05/2024 +ms.date: 04/10/2024 --- @@ -9,6 +9,8 @@ ms.date: 03/05/2024 # Personalization CSP +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package. @@ -36,7 +38,7 @@ The following list shows the Personalization configuration service provider node | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -75,7 +77,7 @@ This represents the status of the Company Logo. 1 - Successfully downloaded or c | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -114,7 +116,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.3235] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -125,7 +127,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and -The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only. +This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen. diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index 87ccb6cf93..6c5af077dd 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,7 +1,7 @@ --- title: Personalization DDF file description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider. -ms.date: 03/05/2024 +ms.date: 04/10/2024 --- @@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.16299 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -101,7 +101,7 @@ The following XML file contains the device description framework (DDF) for the P - A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. + A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. @@ -148,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the P - A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only. + A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only. @@ -162,7 +162,7 @@ The following XML file contains the device description framework (DDF) for the P - 10.0.22621.3235 + 99.9.99999 2.0 @@ -189,7 +189,7 @@ The following XML file contains the device description framework (DDF) for the P - 10.0.22621.3235 + 99.9.99999 2.0 @@ -203,7 +203,7 @@ The following XML file contains the device description framework (DDF) for the P - The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only. + This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen. @@ -217,7 +217,7 @@ The following XML file contains the device description framework (DDF) for the P - 10.0.22621.3235 + 99.9.99999 2.0 diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 254cb8d7aa..d24e808921 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1,7 +1,7 @@ --- title: ADMX-backed policies in Policy CSP description: Learn about the ADMX-backed policies in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -539,8 +539,6 @@ This article lists the ADMX-backed policies in Policy CSP. - [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md) - [RestrictRunFromHelp_Comp](policy-csp-admx-help.md) - [DisableHHDEP](policy-csp-admx-help.md) -- [AllowChildProcesses](policy-csp-admx-help.md) -- [HideChildProcessMessageBox](policy-csp-admx-help.md) ## ADMX_HelpAndSupport @@ -2537,8 +2535,8 @@ This article lists the ADMX-backed policies in Policy CSP. - [RequireSecureRPCCommunication](policy-csp-remotedesktopservices.md) - [ClientConnectionEncryptionLevel](policy-csp-remotedesktopservices.md) - [DoNotAllowWebAuthnRedirection](policy-csp-remotedesktopservices.md) -- [DisconnectOnLockBasicAuthn](policy-csp-remotedesktopservices.md) -- [DisconnectOnLockWebAccountAuthn](policy-csp-remotedesktopservices.md) +- [DisconnectOnLockLegacyAuthn](policy-csp-remotedesktopservices.md) +- [DisconnectOnLockMicrosoftIdentityAuthn](policy-csp-remotedesktopservices.md) ## RemoteManagement @@ -2590,10 +2588,6 @@ This article lists the ADMX-backed policies in Policy CSP. - [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md) - [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md) -## Sudo - -- [EnableSudo](policy-csp-sudo.md) - ## System - [BootStartDriverInitialization](policy-csp-system.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 40ec4c37e3..49d00a03bf 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by Group Policy description: Learn about the policies in Policy CSP supported by Group Policy. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -659,6 +659,10 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md) - [ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md) +## Sudo + +- [EnableSudo](policy-csp-sudo.md) + ## System - [AllowTelemetry](policy-csp-system.md) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 0c304bbebb..814a56440e 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,7 +1,7 @@ --- title: AboveLock Policy CSP description: Learn more about the AboveLock Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -22,7 +22,7 @@ ms.date: 01/18/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index ee3e45f1c6..b51b3ad8ab 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,7 +1,7 @@ --- title: ADMX_Help Policy CSP description: Learn more about the ADMX_Help Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -11,62 +11,10 @@ ms.date: 01/31/2024 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] -[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] - - -## AllowChildProcesses - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Help/AllowChildProcesses -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | `chr` (string) | -| Access Type | Add, Delete, Get, Replace | - - - - -[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | AllowChildProcesses | -| ADMX File Name | Help.admx | - - - - - - - - ## DisableHHDEP @@ -200,56 +148,6 @@ For additional options, see the "Restrict these programs from being launched fro - -## HideChildProcessMessageBox - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Help/HideChildProcessMessageBox -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | `chr` (string) | -| Access Type | Add, Delete, Get, Replace | - - - - -[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | HideChildProcessMessageBox | -| ADMX File Name | Help.admx | - - - - - - - - ## RestrictRunFromHelp diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 0a223d43d0..387bcff31c 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,7 +1,7 @@ --- title: ADMX_StartMenu Policy CSP description: Learn more about the ADMX_StartMenu Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -3577,7 +3577,7 @@ This policy setting allows you to remove links and access to Windows Update. - If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. -Enabling this policy setting blocks user access to the Windows Update Web site at< https://windowsupdate.microsoft.com>. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. +Enabling this policy setting blocks user access to the Windows Update Web site at `https://windowsupdate.microsoft.com`. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index ba4fc8b016..bd2f581667 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,7 +1,7 @@ --- title: ApplicationManagement Policy CSP description: Learn more about the ApplicationManagement Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -428,7 +428,7 @@ Manages a Windows app's ability to share data between users who have installed t | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -480,7 +480,7 @@ This policy is deprecated. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 0831538391..da67e34879 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,7 +1,7 @@ --- title: Browser Policy CSP description: Learn more about the Browser Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -178,7 +178,7 @@ To verify AllowAutofill is set to 0 (not allowed): | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
✅ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -2713,7 +2713,7 @@ Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseM | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
✅ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 26b96531e8..f15674c986 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,7 +1,7 @@ --- title: Connectivity Policy CSP description: Learn more about the Connectivity Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -252,7 +252,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -375,7 +375,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 649a6dada2..1dea6a8e0c 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,7 +1,7 @@ --- title: DeviceLock Policy CSP description: Learn more about the DeviceLock Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -114,7 +114,7 @@ Allow Administrator account lockout This security setting determines whether the | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -782,7 +782,7 @@ On HoloLens, this timeout is controlled by the device's system sleep timeout, re | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | +| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index f7ecf4bf2a..7b2949f96c 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,7 +1,7 @@ --- title: Experience Policy CSP description: Learn more about the Experience Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -100,7 +100,7 @@ Policy change takes effect immediately. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -833,7 +833,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -949,7 +949,7 @@ Specifies whether to allow app and content suggestions from third-party software | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -1887,7 +1887,7 @@ _**Turn syncing off by default but don’t disable**_ | Scope | Editions | Applicable OS | |:--|:--|:--| -| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.900] and later
✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 2e7833047e..1af96611e4 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,7 +1,7 @@ --- title: RemoteDesktopServices Policy CSP description: Learn more about the RemoteDesktopServices Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -150,39 +150,39 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp - -## DisconnectOnLockBasicAuthn + +## DisconnectOnLockLegacyAuthn - + | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockBasicAuthn +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockLegacyAuthn ``` - + - + - + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | - + - + [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] @@ -192,47 +192,47 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp |:--|:--| | Name | TS_DISCONNECT_ON_LOCK_POLICY | | ADMX File Name | terminalserver.admx | - + - + - + - + - -## DisconnectOnLockWebAccountAuthn + +## DisconnectOnLockMicrosoftIdentityAuthn - + | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockWebAccountAuthn +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DisconnectOnLockMicrosoftIdentityAuthn ``` - + - + - + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | - + - + [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] @@ -242,13 +242,13 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp |:--|:--| | Name | TS_DISCONNECT_ON_LOCK_AAD_POLICY | | ADMX File Name | terminalserver.admx | - + - + - + - + ## DoNotAllowDriveRedirection diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index ba702af769..5dfed52c87 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,7 +1,7 @@ --- title: Search Policy CSP description: Learn more about the Search Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -1116,7 +1116,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1607 [10.0.14393] and later | diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index b1093ffddc..1a2bd22a61 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,7 +1,7 @@ --- title: Security Policy CSP description: Learn more about the Security Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -71,7 +71,7 @@ Specifies whether to allow the runtime configuration agent to install provisioni | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -172,7 +172,7 @@ Specifies whether to allow the runtime configuration agent to remove provisionin | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md index 13be1bd00e..09a4e3c938 100644 --- a/windows/client-management/mdm/policy-csp-sudo.md +++ b/windows/client-management/mdm/policy-csp-sudo.md @@ -1,7 +1,7 @@ --- title: Sudo Policy CSP description: Learn more about the Sudo Area in Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -9,8 +9,6 @@ ms.date: 01/31/2024 # Policy CSP - Sudo -[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)] - [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] @@ -45,21 +43,30 @@ ms.date: 01/31/2024 | Property name | Property value | |:--|:--| -| Format | `chr` (string) | +| Format | `int` | | Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | - - -[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)] + +**Allowed values**: -**ADMX mapping**: +| Value | Description | +|:--|:--| +| 0 | Sudo is disabled. | +| 1 | Sudo is allowed in 'force new window' mode. | +| 2 | Sudo is allowed in 'disable input' mode. | +| 3 (Default) | Sudo is allowed in 'inline' mode. | + + + +**Group policy mapping**: | Name | Value | |:--|:--| | Name | EnableSudo | -| ADMX File Name | Sudo.admx | - +| Path | Sudo > AT > System | + diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index b08d9a0c2d..2d9c9595f5 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,7 +1,7 @@ --- title: SystemServices Policy CSP description: Learn more about the SystemServices Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -9,6 +9,8 @@ ms.date: 01/18/2024 # Policy CSP - SystemServices +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + @@ -19,7 +21,7 @@ ms.date: 01/18/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -169,7 +171,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -219,7 +221,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -269,7 +271,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -319,7 +321,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -369,7 +371,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -419,7 +421,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -469,7 +471,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -519,7 +521,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -569,7 +571,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -619,7 +621,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -669,7 +671,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -719,7 +721,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -769,7 +771,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -819,7 +821,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | @@ -869,7 +871,7 @@ This setting determines whether the service's start type is Automatic(2), Manual | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index ec0faa2924..7da176086f 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,7 +1,7 @@ --- title: TimeLanguageSettings Policy CSP description: Learn more about the TimeLanguageSettings Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -22,7 +22,7 @@ ms.date: 01/18/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1703 [10.0.15063] and later | +| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1703 [10.0.15063] and later | diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 8af407de72..d9c4d40da1 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,7 +1,7 @@ --- title: WindowsLogon Policy CSP description: Learn more about the WindowsLogon Area in Policy CSP. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -34,11 +34,11 @@ ms.date: 01/18/2024 This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. -This only occurs if the last interactive user didn't sign out before the restart or shutdown. +This only occurs if the last interactive user didn't sign out before the restart or shutdown. If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns. -- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. +- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot . diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md index 3c4a974d93..21cb02133b 100644 --- a/windows/client-management/mdm/printerprovisioning-ddf-file.md +++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md @@ -1,7 +1,7 @@ --- title: PrinterProvisioning DDF file description: View the XML file containing the device description framework (DDF) for the PrinterProvisioning configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.22000, 10.0.19044.1806, 10.0.19043.1806, 10.0.19042.1806 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 3b86f5316c..a1c58cf7c1 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -1,7 +1,7 @@ --- title: Reboot DDF file description: View the XML file containing the device description framework (DDF) for the Reboot configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index d5a746496d..5ae45109b0 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -1,7 +1,7 @@ --- title: RootCATrustedCertificates DDF file description: View the XML file containing the device description framework (DDF) for the RootCATrustedCertificates configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -1067,7 +1067,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index ef8d526873..c4e5cf2830 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -1,7 +1,7 @@ --- title: SecureAssessment DDF file description: View the XML file containing the device description framework (DDF) for the SecureAssessment configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index fd1f225e74..710f837864 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -1,7 +1,7 @@ --- title: SharedPC DDF file description: View the XML file containing the device description framework (DDF) for the SharedPC configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index e489dea63b..3f4964bf42 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -1,7 +1,7 @@ --- title: SUPL DDF file description: View the XML file containing the device description framework (DDF) for the SUPL configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index badf9f29e6..601a0363a7 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1,7 +1,7 @@ --- title: VPNv2 DDF file description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the V 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -3265,7 +3265,7 @@ The following XML file contains the device description framework (DDF) for the V 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index a0ff37f35e..a43971553f 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -1,7 +1,7 @@ --- title: WiFi DDF file description: View the XML file containing the device description framework (DDF) for the WiFi configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -322,7 +322,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index bdee83a712..83c52f17cc 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,7 +1,7 @@ --- title: WindowsDefenderApplicationGuard DDF file description: View the XML file containing the device description framework (DDF) for the WindowsDefenderApplicationGuard configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.16299 1.1 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 2830112994..a8bb624a6b 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -1,7 +1,7 @@ --- title: WindowsLicensing DDF file description: View the XML file containing the device description framework (DDF) for the WindowsLicensing configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCD;0xCF;0xD2; diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index ba3a3845ed..ddb1f28855 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -1,7 +1,7 @@ --- title: WiredNetwork DDF file description: View the XML file containing the device description framework (DDF) for the WiredNetwork configuration service provider. -ms.date: 01/18/2024 +ms.date: 04/10/2024 --- @@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.17763 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; @@ -118,7 +118,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.17763 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; From 27a7bcbf7f4aa3cfa05efdd21c257ef3f106fa3a Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 10 Apr 2024 13:11:56 -0600 Subject: [PATCH 05/12] Update --- .../mdm/policy-configuration-service-provider.md | 3 ++- windows/client-management/mdm/policy-csp-abovelock.md | 2 +- .../mdm/policy-csp-applicationmanagement.md | 4 ++-- windows/client-management/mdm/policy-csp-browser.md | 2 +- windows/client-management/mdm/policy-csp-connectivity.md | 2 +- windows/client-management/mdm/policy-csp-experience.md | 6 +++--- windows/client-management/mdm/policy-csp-search.md | 2 +- windows/client-management/mdm/policy-csp-security.md | 2 +- .../mdm/policy-csp-timelanguagesettings.md | 2 +- 9 files changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index efc7033c36..b51df93617 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,7 +1,7 @@ --- title: Policy CSP description: Learn more about the Policy CSP. -ms.date: 01/31/2024 +ms.date: 04/10/2024 --- @@ -1151,6 +1151,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [Settings](policy-csp-settings.md) - [SettingsSync](policy-csp-settingssync.md) - [SmartScreen](policy-csp-smartscreen.md) +- [SpeakForMe](policy-csp-speakforme.md) - [Speech](policy-csp-speech.md) - [Start](policy-csp-start.md) - [Stickers](policy-csp-stickers.md) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 814a56440e..05e84c1ade 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -22,7 +22,7 @@ ms.date: 04/10/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index bd2f581667..7b1698c462 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -428,7 +428,7 @@ Manages a Windows app's ability to share data between users who have installed t | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -480,7 +480,7 @@ This policy is deprecated. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index da67e34879..88527a21f7 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -178,7 +178,7 @@ To verify AllowAutofill is set to 0 (not allowed): | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
✅ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
✅ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index f15674c986..1a15adf8c0 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -252,7 +252,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 7b2949f96c..3bc6e9af56 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -100,7 +100,7 @@ Policy change takes effect immediately. | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -833,7 +833,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | @@ -949,7 +949,7 @@ Specifies whether to allow app and content suggestions from third-party software | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 5dfed52c87..1260cd7ab1 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1116,7 +1116,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1607 [10.0.14393] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1607 [10.0.14393] and later | diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 1a2bd22a61..25e55a8941 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -172,7 +172,7 @@ Specifies whether to allow the runtime configuration agent to remove provisionin | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1507 [10.0.10240] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later | diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 7da176086f..cfd36f3bb7 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -22,7 +22,7 @@ ms.date: 04/10/2024 | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | Deprecated | ✅ Windows 10, version 1703 [10.0.15063] and later | +| ✅ Device
❌ User | Not applicable | ✅ Windows 10, version 1703 [10.0.15063] and later | From cbff431700f6c8de3d8aaf1537e156051f5196e7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 11 Apr 2024 09:01:37 -0700 Subject: [PATCH 06/12] Replace absolute link with site-relative --- .../operate/windows-autopatch-reliability-report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md index f019997bf1..660527685b 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md @@ -20,7 +20,7 @@ ms.collection: > [!IMPORTANT] > This feature is in **public preview**. It's being actively developed, and might not be complete. -The Reliability report provides a reliability score for each Windows quality update cycle based on [stop error codes](https://learn.microsoft.com/troubleshoot/windows-client/performance/stop-error-or-blue-screen-error-troubleshooting) detected on managed devices. Scores are determined at both the service and tenant level. Details on modules associated with stop error codes at the tenant level are provided to better understand how devices are affected. +The Reliability report provides a reliability score for each Windows quality update cycle based on [stop error codes](/troubleshoot/windows-client/performance/stop-error-or-blue-screen-error-troubleshooting) detected on managed devices. Scores are determined at both the service and tenant level. Details on modules associated with stop error codes at the tenant level are provided to better understand how devices are affected. > [!NOTE] > **The Reliability report applies to quality updates only**. The Reliability report doesn't currently support Windows feature updates.

Scores used in this report are calculated based on devices running both Windows 10 and Windows 11 versions.

From 6c6246d6e16271cd11f631290a987b2009df3231 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Thu, 11 Apr 2024 10:17:00 -0600 Subject: [PATCH 07/12] Fix link --- .../mdm/policy-configuration-service-provider.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index b51df93617..7aa96cc52c 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1151,7 +1151,6 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [Settings](policy-csp-settings.md) - [SettingsSync](policy-csp-settingssync.md) - [SmartScreen](policy-csp-smartscreen.md) -- [SpeakForMe](policy-csp-speakforme.md) - [Speech](policy-csp-speech.md) - [Start](policy-csp-start.md) - [Stickers](policy-csp-stickers.md) From eb25aa7a3610ed4d98b15dea69a79176ad51247e Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 15 Apr 2024 11:51:14 -0400 Subject: [PATCH 08/12] =?UTF-8?q?Reapply=20"Updated=20policy=20limit=20inf?= =?UTF-8?q?ormation=20to=20reflect=20current=20state.=20Fixed=20acro?= =?UTF-8?q?=E2=80=A6"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 19377758673e71db9440cff844f82beb428f84d8. --- .../design/deploy-multiple-wdac-policies.md | 28 ++++++++----------- .../operations/known-issues.md | 23 +++++++-------- 2 files changed, 22 insertions(+), 29 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md index 1d76e0e5a9..b9655217a3 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md @@ -2,7 +2,7 @@ title: Use multiple Windows Defender Application Control Policies description: Windows Defender Application Control supports multiple code integrity policies for one device. ms.localizationpriority: medium -ms.date: 07/19/2021 +ms.date: 03/13/2024 ms.topic: article --- @@ -11,17 +11,19 @@ ms.topic: article >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). -Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: +Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, March 12, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies and you must not exceed that number. + +Here are some common scenarios where multiple side-by-side policies are useful: 1. Enforce and Audit Side-by-Side - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy 2. Multiple Base Policies - Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent - - If two base policies exist on a device, an application has to be allowed by both to run + - If two base policies exist on a device, an application must pass both policies for it to run 3. Supplemental Policies - Users can deploy one or more supplemental policies to expand a base policy - A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy - - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run + - For supplemental policies, applications allowed by either the base policy or its supplemental policy/policies run > [!NOTE] > Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies. @@ -31,11 +33,11 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a - Multiple base policies: intersection - Only applications allowed by both policies run without generating block events - Base + supplemental policy: union - - Files that are allowed by either the base policy or the supplemental policy aren't blocked + - Files allowed by either the base policy or the supplemental policy run ## Creating WDAC policies in Multiple Policy Format -In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format. +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique values generated for the policy ID and 2) the policy type set as a Base policy. The below example describes the process of creating a new policy in the multiple policy format. ```powershell New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash @@ -55,7 +57,7 @@ Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-K ### Supplemental policy creation -In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown above. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. +In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown earlier. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. - "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to - "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to @@ -66,11 +68,11 @@ Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicy ### Merging policies -When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. +When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy is a base policy with ID \. ## Deploying multiple policies -In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Intune's custom OMA-URI feature. +In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP. ### Deploying multiple policies locally @@ -86,15 +88,9 @@ To deploy policies locally using the new multiple policy format, follow these st Multiple Windows Defender Application Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
-However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are unenrolled from an MDM server, the CSP attempts to remove every policy not actively deployed, not just the policies added by the CSP. This behavior happens because the system doesn't know what deployment methods were used to apply individual policies. For more information on deploying multiple policies, optionally using Microsoft Intune's custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp). > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies. - -### Known Issues in Multiple Policy Format - -* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. -* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit. -* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot. diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md index 91af264958..fbccba4c71 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md @@ -2,7 +2,7 @@ title: WDAC Admin Tips & Known Issues description: WDAC Known Issues ms.manager: jsuther -ms.date: 11/22/2023 +ms.date: 03/13/2024 ms.topic: article ms.localizationpriority: medium --- @@ -43,32 +43,28 @@ When the WDAC engine evaluates files against the active set of policies on the d 4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option. -5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. +5. Any file not allowed by an explicit rule or based on ISG or MI is blocked implicitly. ## Known issues ### Boot stop failure (blue screen) occurs if more than 32 policies are active -If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. +Until you apply the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, March 12, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies. ### Audit mode policies can change the behavior for some apps or cause app crashes -Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: +Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: - Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors. - Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening). -### Managed Installer and ISG may cause excessive events - -When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy. - ### .NET native images may generate false positive block events In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. ### Signatures using elliptical curve cryptography (ECC) aren't supported -WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA. +WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If WDAC blocks a file based on ECC signatures, the corresponding 3089 signature information events show VerificationError = 23. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA. ### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule @@ -88,18 +84,19 @@ As a workaround, download the MSI file and run it locally: ```console msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi ``` + ### Slow boot and performance with custom policies -WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies. +WDAC evaluates all processes that run, including inbox Windows processes. You can cause slower boot times, degraded performance, and possibly boot issues if your policies don't build upon the WDAC templates or don't trust the Windows signers. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies. #### AppId Tagging policy considerations -If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes). +AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes). -If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance: +If you can't allowlist the Windows signers or build off the WDAC base templates, add the following rule to your policies to improve the performance: :::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy."::: :::image type="content" source="../images/known-issue-appid-dll-rule-xml.png" alt-text="Allow all dll files in the xml policy."::: -Since AppId Tagging policies evaluate but can't tag dll files, this rule will short circuit dll evaluation and improve evaluation performance. +Since AppId Tagging policies evaluate but can't tag dll files, this rule short circuits dll evaluation and improve evaluation performance. From e8b6169893c30c30d80d8d0640ef4b7ea675f078 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 15 Apr 2024 11:55:03 -0400 Subject: [PATCH 09/12] Corrected dates --- .../design/deploy-multiple-wdac-policies.md | 4 ++-- .../operations/known-issues.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md index b9655217a3..314a534a67 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md @@ -2,7 +2,7 @@ title: Use multiple Windows Defender Application Control Policies description: Windows Defender Application Control supports multiple code integrity policies for one device. ms.localizationpriority: medium -ms.date: 03/13/2024 +ms.date: 04/15/2024 ms.topic: article --- @@ -11,7 +11,7 @@ ms.topic: article >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). -Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, March 12, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies and you must not exceed that number. +Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, April 9, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies and you must not exceed that number. Here are some common scenarios where multiple side-by-side policies are useful: diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md index fbccba4c71..73c4f0efa9 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md @@ -2,7 +2,7 @@ title: WDAC Admin Tips & Known Issues description: WDAC Known Issues ms.manager: jsuther -ms.date: 03/13/2024 +ms.date: 04/15/2024 ms.topic: article ms.localizationpriority: medium --- @@ -49,7 +49,7 @@ When the WDAC engine evaluates files against the active set of policies on the d ### Boot stop failure (blue screen) occurs if more than 32 policies are active -Until you apply the Windows security update released on or after March 12, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, March 12, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies. +Until you apply the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, April 9, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies. ### Audit mode policies can change the behavior for some apps or cause app crashes From 4af1c79d02706c2d573528a8aee57d0b2c9c0bdd Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 15 Apr 2024 11:11:38 -0700 Subject: [PATCH 10/12] Typo --- .../operate/windows-autopatch-reliability-report.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md index 660527685b..e3a3f4b0c5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-reliability-report.md @@ -46,7 +46,7 @@ The Reliability report relies on device policies being configured properly. It's | No | - | - | No report available.

In this state, a ribbon appears on the landing page alerting the user that the diagnostic data needed to generate a report appears to be turned off. The report is available 24 and 48 hours after the following conditions are met:

  • [Diagnostic data device configuration policies enabled](../references/windows-autopatch-changes-to-tenant.md#device-configuration-policies)
  • At least 100 devices registered in Autopatch
  • At least 100 of these registered devices completed a quality update in the current update cycle (second Tuesday of the month)

| | Yes | 0 | - | The report includes only the historical comparison baseline and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. | | Yes | 0 < n < 100 | 0 < n < 100 | The report includes module failure details, historical comparison baseline, and service-level score. The tenant score is unavailable until 100 devices are updated. | -| Yes | n >= 100 | n >= 100 | The report includes module failure details, historical comparison baseline score, and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. | +| Yes | n >= 100 | 0 < n < 100 | The report includes module failure details, historical comparison baseline score, and service-level score. The tenant and module impact scores are unavailable until 100 devices are updated. | | Yes | n >= 100 | n >= 100 | Full reporting available | ## View the Reliability report From b24cf72e080b56c797b84966f2f5de9e97eaf7a7 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Tue, 16 Apr 2024 18:50:26 -0400 Subject: [PATCH 11/12] added note about win 11 21h2 --- .../design/deploy-multiple-wdac-policies.md | 2 ++ .../operations/known-issues.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md index 314a534a67..530d6dddb0 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md @@ -13,6 +13,8 @@ ms.topic: article Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, April 9, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies and you must not exceed that number. +**Note:** The policy limit was not removed on Windows 11 21H2, and will remain limited to 32 policies. + Here are some common scenarios where multiple side-by-side policies are useful: 1. Enforce and Audit Side-by-Side diff --git a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md index 73c4f0efa9..2522308d55 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md @@ -51,6 +51,8 @@ When the WDAC engine evaluates files against the active set of policies on the d Until you apply the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, April 9, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies. +**Note:** The policy limit was not removed on Windows 11 21H2, and will remain limited to 32 policies. + ### Audit mode policies can change the behavior for some apps or cause app crashes Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode: From a6b4d08cb9398faf84a551d1ce836731921f8ede Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <123032460+American-Dipper@users.noreply.github.com> Date: Wed, 17 Apr 2024 10:27:13 -0700 Subject: [PATCH 12/12] Update deploy-multiple-wdac-policies.md - reformat note --- .../design/deploy-multiple-wdac-policies.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md index 530d6dddb0..38c5700dab 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md @@ -13,7 +13,8 @@ ms.topic: article Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, April 9, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies and you must not exceed that number. -**Note:** The policy limit was not removed on Windows 11 21H2, and will remain limited to 32 policies. +>[!NOTE] +>The policy limit was not removed on Windows 11 21H2 and will remain limited to 32 policies. Here are some common scenarios where multiple side-by-side policies are useful: