Add more CSPs

windows/client-management/mdm/policies-in-policy-csp-admx-backed.md

@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 11/30/2022
+ms.date: 12/07/2022
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -2927,6 +2927,7 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [ConfigureRpcListenerPolicy](policy-csp-printers.md)
 - [ConfigureRpcConnectionPolicy](policy-csp-printers.md)
 - [ConfigureRpcTcpPort](policy-csp-printers.md)
+- [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md)
 - [ConfigureIppPageCountsPolicy](policy-csp-printers.md)
 - [ConfigureRedirectionGuardPolicy](policy-csp-printers.md)
 
@@ -2987,6 +2988,7 @@ This article lists the ADMX-backed policies in Policy CSP.
 ## SettingsSync
 
 - [DisableAccessibilitySettingSync](policy-csp-settingssync.md)
+- [DisableLanguageSettingSync](policy-csp-settingssync.md)
 
 ## Storage
 

windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md

@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 11/30/2022
+ms.date: 12/07/2022
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -317,12 +317,14 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md)
 - [DOCacheHost](policy-csp-deliveryoptimization.md)
 - [DOCacheHostSource](policy-csp-deliveryoptimization.md)
+- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md)
 - [DOGroupIdSource](policy-csp-deliveryoptimization.md)
 - [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md)
 - [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md)
 - [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md)
 - [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md)
 - [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md)
+- [DOVpnKeywords](policy-csp-deliveryoptimization.md)
 
 ## DeviceGuard
 
@@ -877,6 +879,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [NotifyMalicious](policy-csp-webthreatdefense.md)
 - [NotifyPasswordReuse](policy-csp-webthreatdefense.md)
 - [NotifyUnsafeApp](policy-csp-webthreatdefense.md)
+- [CaptureThreatWindow](policy-csp-webthreatdefense.md)
 
 ## Wifi
 

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -4,7 +4,7 @@ description: Learn more about the Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 11/22/2022
+ms.date: 12/07/2022
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -94,6 +94,7 @@ The following example shows the Policy configuration service provider in tree fo
 <!-- Device-Config-OmaUri-End -->
 
 <!-- Device-Config-Description-Begin -->
+<!-- Description-Source-DDF -->
 Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
 <!-- Device-Config-Description-End -->
 
@@ -132,7 +133,8 @@ Node for grouping all policies configured by one source. The configuration sourc
 <!-- Device-Config-{AreaName}-OmaUri-End -->
 
 <!-- Device-Config-{AreaName}-Description-Begin -->
-The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.  See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+<!-- Description-Source-DDF -->
+The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
 <!-- Device-Config-{AreaName}-Description-End -->
 
 <!-- Device-Config-{AreaName}-Editable-Begin -->
@@ -171,7 +173,8 @@ The area group that can be configured by a single technology for a single provid
 <!-- Device-Config-{AreaName}-{PolicyName}-OmaUri-End -->
 
 <!-- Device-Config-{AreaName}-{PolicyName}-Description-Begin -->
-Specifies the name/value pair used in the policy.  See the individual Area DDFs for more information about the policies available to configure.
+<!-- Description-Source-DDF -->
+Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
 <!-- Device-Config-{AreaName}-{PolicyName}-Description-End -->
 
 <!-- Device-Config-{AreaName}-{PolicyName}-Editable-Begin -->
@@ -218,6 +221,7 @@ The following list shows some tips to help you when configuring policies:
 <!-- Device-ConfigOperations-OmaUri-End -->
 
 <!-- Device-ConfigOperations-Description-Begin -->
+<!-- Description-Source-DDF -->
 The root node for grouping different configuration operations.
 <!-- Device-ConfigOperations-Description-End -->
 
@@ -256,6 +260,7 @@ The root node for grouping different configuration operations.
 <!-- Device-ConfigOperations-ADMXInstall-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
 <!-- Device-ConfigOperations-ADMXInstall-Description-End -->
 
@@ -298,6 +303,7 @@ Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Description-End -->
 
@@ -337,6 +343,7 @@ Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX f
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Description-Begin -->
+<!-- Description-Source-DDF -->
 Setting Type of Win32 App. Policy Or Preference
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Description-End -->
 
@@ -376,6 +383,7 @@ Setting Type of Win32 App. Policy Or Preference
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Description-Begin -->
+<!-- Description-Source-DDF -->
 Unique ID of ADMX file
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Description-End -->
 
@@ -415,6 +423,7 @@ Unique ID of ADMX file
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Description-Begin -->
+<!-- Description-Source-DDF -->
 Properties of Win32 App ADMX Ingestion
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Description-End -->
 
@@ -453,6 +462,7 @@ Properties of Win32 App ADMX Ingestion
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Description-Begin -->
+<!-- Description-Source-DDF -->
 Setting Type of Win32 App. Policy Or Preference
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Description-End -->
 
@@ -492,6 +502,7 @@ Setting Type of Win32 App. Policy Or Preference
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Description-Begin -->
+<!-- Description-Source-DDF -->
 Unique ID of ADMX file
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Description-End -->
 
@@ -531,7 +542,8 @@ Unique ID of ADMX file
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-OmaUri-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Description-Begin -->
-Version of ADMX file.  This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device.
+<!-- Description-Source-DDF -->
+Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device.
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Description-End -->
 
 <!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Editable-Begin -->
@@ -569,6 +581,7 @@ Version of ADMX file.  This can be set by the server to keep a record of the ver
 <!-- Device-Result-OmaUri-End -->
 
 <!-- Device-Result-Description-Begin -->
+<!-- Description-Source-DDF -->
 Groups the evaluated policies from all providers that can be configured.
 <!-- Device-Result-Description-End -->
 
@@ -607,6 +620,7 @@ Groups the evaluated policies from all providers that can be configured.
 <!-- Device-Result-{AreaName}-OmaUri-End -->
 
 <!-- Device-Result-{AreaName}-Description-Begin -->
+<!-- Description-Source-DDF -->
 The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
 <!-- Device-Result-{AreaName}-Description-End -->
 
@@ -646,6 +660,7 @@ The area group that can be configured by a single technology independent of the
 <!-- Device-Result-{AreaName}-{PolicyName}-OmaUri-End -->
 
 <!-- Device-Result-{AreaName}-{PolicyName}-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
 <!-- Device-Result-{AreaName}-{PolicyName}-Description-End -->
 
@@ -685,6 +700,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
 <!-- User-Config-OmaUri-End -->
 
 <!-- User-Config-Description-Begin -->
+<!-- Description-Source-DDF -->
 Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
 <!-- User-Config-Description-End -->
 
@@ -723,7 +739,8 @@ Node for grouping all policies configured by one source. The configuration sourc
 <!-- User-Config-{AreaName}-OmaUri-End -->
 
 <!-- User-Config-{AreaName}-Description-Begin -->
-The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.  See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+<!-- Description-Source-DDF -->
+The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
 <!-- User-Config-{AreaName}-Description-End -->
 
 <!-- User-Config-{AreaName}-Editable-Begin -->
@@ -770,7 +787,8 @@ The following list shows some tips to help you when configuring policies:
 <!-- User-Config-{AreaName}-{PolicyName}-OmaUri-End -->
 
 <!-- User-Config-{AreaName}-{PolicyName}-Description-Begin -->
-Specifies the name/value pair used in the policy.  See the individual Area DDFs for more information about the policies available to configure.
+<!-- Description-Source-DDF -->
+Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
 <!-- User-Config-{AreaName}-{PolicyName}-Description-End -->
 
 <!-- User-Config-{AreaName}-{PolicyName}-Editable-Begin -->
@@ -809,6 +827,7 @@ Specifies the name/value pair used in the policy.  See the individual Area DDFs
 <!-- User-Result-OmaUri-End -->
 
 <!-- User-Result-Description-Begin -->
+<!-- Description-Source-DDF -->
 Groups the evaluated policies from all providers that can be configured.
 <!-- User-Result-Description-End -->
 
@@ -847,6 +866,7 @@ Groups the evaluated policies from all providers that can be configured.
 <!-- User-Result-{AreaName}-OmaUri-End -->
 
 <!-- User-Result-{AreaName}-Description-Begin -->
+<!-- Description-Source-DDF -->
 The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
 <!-- User-Result-{AreaName}-Description-End -->
 
@@ -886,6 +906,7 @@ The area group that can be configured by a single technology independent of the
 <!-- User-Result-{AreaName}-{PolicyName}-OmaUri-End -->
 
 <!-- User-Result-{AreaName}-{PolicyName}-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
 <!-- User-Result-{AreaName}-{PolicyName}-Description-End -->
 
@@ -1073,7 +1094,6 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
 - [Browser](policy-csp-browser.md)
 - [Camera](policy-csp-camera.md)
 - [Cellular](policy-csp-cellular.md)
-- [CloudDesktop](policy-csp-clouddesktop.md)
 - [CloudPC](policy-csp-cloudpc.md)
 - [Connectivity](policy-csp-connectivity.md)
 - [ControlPolicyConflict](policy-csp-controlpolicyconflict.md)

windows/client-management/mdm/policy-csp-smartscreen.md

@@ -1,188 +1,251 @@
 ---
-title: Policy CSP - SmartScreen
+title: SmartScreen Policy CSP
-description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store.
+description: Learn more about the SmartScreen Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 12/07/2022
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer: 
-manager: aaroncz
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- SmartScreen-Begin -->
 # Policy CSP - SmartScreen
 
+<!-- SmartScreen-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SmartScreen-Editable-End -->
 
-<hr/>
+<!-- EnableAppInstallControl-Begin -->
+## EnableAppInstallControl
 
-<!--Policies-->
+<!-- EnableAppInstallControl-Applicability-Begin -->
-## SmartScreen policies
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- EnableAppInstallControl-Applicability-End -->
 
-<dl>
+<!-- EnableAppInstallControl-OmaUri-Begin -->
-  <dd>
+```Device
-    <a href="#smartscreen-enableappinstallcontrol">SmartScreen/EnableAppInstallControl</a>
+./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
-  </dd>
+```
-  <dd>
+<!-- EnableAppInstallControl-OmaUri-End -->
-    <a href="#smartscreen-enablesmartscreeninshell">SmartScreen/EnableSmartScreenInShell</a>
-  </dd>
-  <dd>
-    <a href="#smartscreen-preventoverrideforfilesinshell">SmartScreen/PreventOverrideForFilesInShell</a>
-  </dd>
-</dl>
 
+<!-- EnableAppInstallControl-Description-Begin -->
+<!-- Description-Source-ADMX -->
+App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
 
-<hr/>
+If you enable this setting, you must choose from the following behaviors:
 
-<!--Policy-->
+- Turn off app recommendations
-<a href="" id="smartscreen-enableappinstallcontrol"></a>**SmartScreen/EnableAppInstallControl**
 
-<!--SupportedSKUs-->
+- Show me app recommendations
 
-|Edition|Windows 10|Windows 11|
+- Warn me before installing apps from outside the Store
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+- Allow apps from Store only
-<hr/>
 
-<!--Scope-->
+If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- EnableAppInstallControl-Description-End -->
 
-> [!div class = "checklist"]
+<!-- EnableAppInstallControl-Editable-Begin -->
-> * Device
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.
+>
+> This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
+<!-- EnableAppInstallControl-Editable-End -->
 
-<hr/>
+<!-- EnableAppInstallControl-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/Scope-->
+| Property name | Property value |
-<!--Description-->
+|:--|:--|
-Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- EnableAppInstallControl-DFProperties-End -->
 
-> [!Note]
+<!-- EnableAppInstallControl-AllowedValues-Begin -->
-> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.<p>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
+**Allowed values**:
 
-<!--/Description-->
+| Value | Description |
-<!--ADMXMapped-->
+|:--|:--|
-ADMX Info:
+| 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. |
--   GP Friendly name: *Configure App Install Control*
+| 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. |
--   GP name: *ConfigureAppInstallControl*
+<!-- EnableAppInstallControl-AllowedValues-End -->
--   GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
--   GP ADMX file name: *SmartScreen.admx*
 
-<!--/ADMXMapped-->
+<!-- EnableAppInstallControl-GpMapping-Begin -->
-<!--SupportedValues-->
+**Group policy mapping**:
-The following list shows the supported values:
 
--   0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
+| Name | Value |
--   1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
+|:--|:--|
+| Name | ConfigureAppInstallControl |
+| Friendly Name | Configure App Install Control |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Defender SmartScreen > Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\SmartScreen |
+| Registry Value Name | ConfigureAppInstallControlEnabled |
+| ADMX File Name | SmartScreen.admx |
+<!-- EnableAppInstallControl-GpMapping-End -->
 
-<!--/SupportedValues-->
+<!-- EnableAppInstallControl-Examples-Begin -->
-<!--/Policy-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableAppInstallControl-Examples-End -->
 
-<hr/>
+<!-- EnableAppInstallControl-End -->
 
-<!--Policy-->
+<!-- EnableSmartScreenInShell-Begin -->
-<a href="" id="smartscreen-enablesmartscreeninshell"></a>**SmartScreen/EnableSmartScreenInShell**
+## EnableSmartScreenInShell
 
-<!--SupportedSKUs-->
+<!-- EnableSmartScreenInShell-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- EnableSmartScreenInShell-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- EnableSmartScreenInShell-OmaUri-Begin -->
-|--- |--- |--- |
+```Device
-|Home|No|No|
+./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
-|Pro|Yes|Yes|
+```
-|Windows SE|No|Yes|
+<!-- EnableSmartScreenInShell-OmaUri-End -->
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- EnableSmartScreenInShell-Description-Begin -->
-<hr/>
+<!-- Description-Source-ADMX -->
+This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.
 
-<!--Scope-->
+Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
-[Scope](./policy-configuration-service-provider.md#policy-scope):
 
-> [!div class = "checklist"]
+If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
-> * Device
 
-<hr/>
+• Warn and prevent bypass
+• Warn
 
-<!--/Scope-->
+If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
-<!--Description-->
-Allows IT Admins to configure SmartScreen for Windows.
 
-<!--/Description-->
+If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app.
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure Windows Defender SmartScreen*
--   GP name: *ShellConfigureSmartScreen*
--   GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
--   GP ADMX file name: *SmartScreen.admx*
 
-<!--/ADMXMapped-->
+If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.
-<!--SupportedValues-->
-The following list shows the supported values:
 
--   0 – Turns off SmartScreen in Windows.
+If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings.
--   1 – Turns on SmartScreen in Windows.
+<!-- EnableSmartScreenInShell-Description-End -->
 
-<!--/SupportedValues-->
+<!-- EnableSmartScreenInShell-Editable-Begin -->
-<!--/Policy-->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableSmartScreenInShell-Editable-End -->
 
-<hr/>
+<!-- EnableSmartScreenInShell-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--Policy-->
+| Property name | Property value |
-<a href="" id="smartscreen-preventoverrideforfilesinshell"></a>**SmartScreen/PreventOverrideForFilesInShell**
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- EnableSmartScreenInShell-DFProperties-End -->
 
-<!--SupportedSKUs-->
+<!-- EnableSmartScreenInShell-AllowedValues-Begin -->
+**Allowed values**:
 
-|Edition|Windows 10|Windows 11|
+| Value | Description |
-|--- |--- |--- |
+|:--|:--|
-|Home|No|No|
+| 0 | Disabled. |
-|Pro|Yes|Yes|
+| 1 (Default) | Enabled. |
-|Windows SE|No|Yes|
+<!-- EnableSmartScreenInShell-AllowedValues-End -->
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+<!-- EnableSmartScreenInShell-GpMapping-Begin -->
-<hr/>
+**Group policy mapping**:
 
-<!--Scope-->
+| Name | Value |
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+|:--|:--|
+| Name | ShellConfigureSmartScreen |
+| Friendly Name | Configure Windows Defender SmartScreen |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Defender SmartScreen > Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | EnableSmartScreen |
+| ADMX File Name | SmartScreen.admx |
+<!-- EnableSmartScreenInShell-GpMapping-End -->
 
-> [!div class = "checklist"]
+<!-- EnableSmartScreenInShell-Examples-Begin -->
-> * Device
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableSmartScreenInShell-Examples-End -->
 
-<hr/>
+<!-- EnableSmartScreenInShell-End -->
 
-<!--/Scope-->
+<!-- PreventOverrideForFilesInShell-Begin -->
-<!--Description-->
+## PreventOverrideForFilesInShell
+
+<!-- PreventOverrideForFilesInShell-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- PreventOverrideForFilesInShell-Applicability-End -->
+
+<!-- PreventOverrideForFilesInShell-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
+```
+<!-- PreventOverrideForFilesInShell-OmaUri-End -->
+
+<!-- PreventOverrideForFilesInShell-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files.
+<!-- PreventOverrideForFilesInShell-Description-End -->
 
-<!--/Description-->
+<!-- PreventOverrideForFilesInShell-Editable-Begin -->
-<!--ADMXMapped-->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-ADMX Info:
+<!-- PreventOverrideForFilesInShell-Editable-End -->
--   GP Friendly name: *Configure Windows Defender SmartScreen*
--   GP name: *ShellConfigureSmartScreen*
--   GP element: *ShellConfigureSmartScreen_Dropdown*
--   GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
--   GP ADMX file name: *SmartScreen.admx*
 
-<!--/ADMXMapped-->
+<!-- PreventOverrideForFilesInShell-DFProperties-Begin -->
-<!--SupportedValues-->
+**Description framework properties**:
-The following list shows the supported values:
 
--   0 – Employees can ignore SmartScreen warnings and run malicious files.
+| Property name | Property value |
--   1 – Employees cannot ignore SmartScreen warnings and run malicious files.
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- PreventOverrideForFilesInShell-DFProperties-End -->
 
-<!--/SupportedValues-->
+<!-- PreventOverrideForFilesInShell-AllowedValues-Begin -->
-<!--/Policy-->
+**Allowed values**:
-<hr/>
 
-<!--/Policies-->
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Do not prevent override. |
+| 1 | Prevent override. |
+<!-- PreventOverrideForFilesInShell-AllowedValues-End -->
+
+<!-- PreventOverrideForFilesInShell-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ShellConfigureSmartScreen |
+| Friendly Name | Configure Windows Defender SmartScreen |
+| Element Name | Pick one of the following settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Defender SmartScreen > Explorer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| ADMX File Name | SmartScreen.admx |
+<!-- PreventOverrideForFilesInShell-GpMapping-End -->
+
+<!-- PreventOverrideForFilesInShell-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- PreventOverrideForFilesInShell-Examples-End -->
+
+<!-- PreventOverrideForFilesInShell-End -->
+
+<!-- SmartScreen-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- SmartScreen-CspMoreInfo-End -->
+
+<!-- SmartScreen-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)

windows/client-management/mdm/policy-csp-troubleshooting.md

@@ -1,103 +1,119 @@
 ---
-title: Policy CSP - Troubleshooting
+title: Troubleshooting Policy CSP
-description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains.
+description: Learn more about the Troubleshooting Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 12/07/2022
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 09/27/2019
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- Troubleshooting-Begin -->
 # Policy CSP - Troubleshooting
 
-<hr/>
+<!-- Troubleshooting-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Troubleshooting-Editable-End -->
 
-<!--Policies-->
+<!-- AllowRecommendations-Begin -->
-## Troubleshooting policies
+## AllowRecommendations
 
-<dl>
+<!-- AllowRecommendations-Applicability-Begin -->
-  <dd>
+| Scope | Editions | Applicable OS |
-    <a href="#troubleshooting-allowrecommendations">Troubleshooting/AllowRecommendations</a>
+|:--|:--|:--|
-  </dd>
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
-</dl>
+<!-- AllowRecommendations-Applicability-End -->
 
+<!-- AllowRecommendations-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Troubleshooting/AllowRecommendations
+```
+<!-- AllowRecommendations-OmaUri-End -->
 
-<hr/>
+<!-- AllowRecommendations-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting configures how troubleshooting for known problems can be applied on the device and lets administrators configure how it's applied to their domains/IT environments.
 
-<!--Policy-->
+Not configuring this policy setting will allow the user to configure how troubleshooting is applied.
-<a href="" id="troubleshooting-allowrecommendations"></a>**Troubleshooting/AllowRecommendations**
 
-<!--SupportedSKUs-->
+Enabling this policy allows you to configure how troubleshooting is applied on the user's device. You can select from one of the following values:
-The table below shows the applicability of Windows:
+0 = Do not allow users, system features, or Microsoft to apply troubleshooting.
+1 = Only automatically apply troubleshooting for critical problems by system features and Microsoft.
+2 = Automatically apply troubleshooting for critical problems by system features and Microsoft. Notify users when troubleshooting for other problems is available and allow users to choose to apply or ignore.
+3 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Notify users when troubleshooting has solved a problem.
+4 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Do not notify users when troubleshooting has solved a problem.
+5 = Allow the user to choose their own troubleshooting settings.
 
-|Edition|Windows 10|Windows 11|
+After setting this policy, you can use the following instructions to check devices in your domain for available troubleshooting from Microsoft:
-|--- |--- |--- |
+1. Create a bat script with the following contents:
-|Home|No|No|
+rem The following batch script triggers Recommended Troubleshooting
-|Pro|Yes|Yes|
+schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner"
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
-<hr/>
+3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
+4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
+5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
+6. Configure the task to deploy to your domain.
+<!-- AllowRecommendations-Description-End -->
 
-<!--Scope-->
+<!-- AllowRecommendations-Editable-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowRecommendations-Editable-End -->
 
-> [!div class = "checklist"]
+<!-- AllowRecommendations-DFProperties-Begin -->
-> * Device
+**Description framework properties**:
 
-<hr/>
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowRecommendations-DFProperties-End -->
 
-<!--/Scope-->
+<!-- AllowRecommendations-AllowedValues-Begin -->
-<!--Description-->
+**Allowed values**:
-This policy setting allows IT admins to configure, how to apply recommended troubleshooting for known problems on the devices in their domains or IT environments.
 
-<!--/Description-->
+| Value | Description |
-<!--ADMXMapped-->
+|:--|:--|
-ADMX Info:
+| 0 | Off - Do not allow users, system features, or Microsoft to apply troubleshooting. |
--   GP Friendly name: *Troubleshooting: Allow users to access recommended troubleshooting for known problems*
+| 1 (Default) | Critical - Automatically apply troubleshooting for critical problems detected by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. |
--   GP name: *TroubleshootingAllowRecommendations*
+| 2 | Prompt - Automatically apply troubleshooting for critical problems detected by system features and Microsoft. Prompt users when troubleshooting for other problems is available and allow the user to choose to apply or ignore. |
--   GP path: *Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool*
+| 3 | Notify - Automatically apply troubleshooting for critical and other problems detected by system features and Microsoft. Notify users when troubleshooting has solved a problem. |
--   GP ADMX file name: *MSDT.admx*
+| 4 | Silent - Automatically apply troubleshooting for critical and other problems detected by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. |
+| 5 | Configurable - Allow the user to choose their own troubleshooting settings. |
+<!-- AllowRecommendations-AllowedValues-End -->
 
-<!--/ADMXMapped-->
+<!-- AllowRecommendations-GpMapping-Begin -->
-<!--SupportedValues-->
+**Group policy mapping**:
-This setting is a numeric policy setting with merge algorithm (lowest value is the most secure) that uses the most restrictive settings for complex manageability scenarios.
 
-Supported values:
+| Name | Value |
--   0 (default) - Turn off this feature.
+|:--|:--|
--   1 - Turn off this feature but still apply critical troubleshooting.
+| Name | TroubleshootingAllowRecommendations |
--   2 - Notify users when recommended troubleshooting is available, then allow the user to run or ignore it.
+| Friendly Name | Troubleshooting: Allow users to access recommended troubleshooting for known problems |
--   3 - Run recommended troubleshooting automatically and notify the user after it ran successfully.
+| Location | Computer Configuration |
--   4 - Run recommended troubleshooting automatically without notifying the user.
+| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool |
--   5 - Allow the user to choose their own recommended troubleshooting settings.
+| Registry Key Name | Software\Policies\Microsoft\Windows\Troubleshooting\AllowRecommendations |
+| Registry Value Name | TroubleshootingAllowRecommendations |
+| ADMX File Name | MSDT.admx |
+<!-- AllowRecommendations-GpMapping-End -->
 
-By default, this policy isn't configured and the SKU based defaults are used for managed devices. Current policy values for SKUs are as follows:
+<!-- AllowRecommendations-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowRecommendations-Examples-End -->
 
-|SKU|Unmanaged Default|Managed Default|
+<!-- AllowRecommendations-End -->
-|--- |--- |--- |
-|Home|Prompt (OOBE)|Off|
-|Pro|Prompt (OOBE)|Off|
-|Education|On (auto)|Off|
-|Enterprise|Off|Off|
-|Government|Off|Off|
 
-<!--/SupportedValues-->
+<!-- Troubleshooting-CspMoreInfo-Begin -->
-<!--Example-->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Troubleshooting-CspMoreInfo-End -->
 
-<!--/Example-->
+<!-- Troubleshooting-End -->
-<!--Validation-->
 
-<!--/Validation-->
+## Related articles
-<!--/Policy-->
-<hr/>
 
-<!--/Policies-->
+[Policy configuration service provider](policy-configuration-service-provider.md)
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)

windows/client-management/mdm/policy-csp-update.md

@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 11/30/2022
+ms.date: 12/07/2022
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -36,6 +36,7 @@ ms.topic: reference
 <!-- ActiveHoursEnd-OmaUri-End -->
 
 <!-- ActiveHoursEnd-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. **Note**: The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default is 17 (5 PM).
 <!-- ActiveHoursEnd-Description-End -->
 
@@ -59,7 +60,7 @@ Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range o
 
 | Name | Value |
 |:--|:--|
-| Name | ActiveHours_Title |
+| Name | ActiveHours |
 | Friendly Name | Turn off auto-restart for updates during active hours |
 | Element Name | End |
 | Location | Computer Configuration |
@@ -90,6 +91,7 @@ Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range o
 <!-- ActiveHoursMaxRange-OmaUri-End -->
 
 <!-- ActiveHoursMaxRange-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enable this policy to specify the maximum number of hours from the start time that users can set their active hours.
 
 The max active hours range can be set between 8 and 18 hours.
@@ -117,7 +119,7 @@ If you disable or do not configure this policy, the default max active hours ran
 
 | Name | Value |
 |:--|:--|
-| Name | ActiveHoursMaxRange_Title |
+| Name | ActiveHoursMaxRange |
 | Friendly Name | Specify active hours range for auto-restarts |
 | Element Name | Max range |
 | Location | Computer Configuration |
@@ -148,6 +150,7 @@ If you disable or do not configure this policy, the default max active hours ran
 <!-- ActiveHoursStart-OmaUri-End -->
 
 <!-- ActiveHoursStart-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. **Note**: The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default value is 8 (8 AM).
 <!-- ActiveHoursStart-Description-End -->
 
@@ -171,7 +174,7 @@ Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of
 
 | Name | Value |
 |:--|:--|
-| Name | ActiveHours_Title |
+| Name | ActiveHours |
 | Friendly Name | Turn off auto-restart for updates during active hours |
 | Element Name | Start |
 | Location | Computer Configuration |
@@ -202,6 +205,7 @@ Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of
 <!-- AllowAutoUpdate-OmaUri-End -->
 
 <!-- AllowAutoUpdate-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Supported operations are Get and Replace. **Important**: This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart).
 <!-- AllowAutoUpdate-Description-End -->
 
@@ -268,6 +272,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
 <!-- AllowAutoWindowsUpdateDownloadOverMeteredNetwork-OmaUri-End -->
 
 <!-- AllowAutoWindowsUpdateDownloadOverMeteredNetwork-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enabling this policy will automatically download updates, even over metered data connections (charges may apply)
 <!-- AllowAutoWindowsUpdateDownloadOverMeteredNetwork-Description-End -->
 
@@ -302,7 +307,7 @@ This policy is accessible through the Update setting in the user interface or Gr
 
 | Name | Value |
 |:--|:--|
-| Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork_Title |
+| Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork |
 | Friendly Name | Allow updates to be downloaded automatically over metered connections |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
@@ -333,6 +338,7 @@ This policy is accessible through the Update setting in the user interface or Gr
 <!-- AllowMUUpdateService-OmaUri-End -->
 
 <!-- AllowMUUpdateService-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
 <!-- AllowMUUpdateService-Description-End -->
 
@@ -402,6 +408,7 @@ Allows the IT admin to manage whether to scan for app updates from Microsoft Upd
 <!-- AllowNonMicrosoftSignedUpdate-OmaUri-End -->
 
 <!-- AllowNonMicrosoftSignedUpdate-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. Supported operations are Get and Replace. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
 <!-- AllowNonMicrosoftSignedUpdate-Description-End -->
 
@@ -450,6 +457,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
 <!-- AllowUpdateService-OmaUri-End -->
 
 <!-- AllowUpdateService-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. **Note**: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy.
 <!-- AllowUpdateService-Description-End -->
 
@@ -511,6 +519,7 @@ Specifies whether the device could use Microsoft Update, Windows Server Update S
 <!-- AutomaticMaintenanceWakeUp-OmaUri-End -->
 
 <!-- AutomaticMaintenanceWakeUp-Description-Begin -->
+<!-- Description-Source-ADMX -->
 This policy setting allows you to configure Automatic Maintenance wake up policy.
 
 The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect.
@@ -548,7 +557,7 @@ If you disable or do not configure this policy setting, the wake setting as spec
 
 | Name | Value |
 |:--|:--|
-| Name | WakeUp |
+| Name | WakeUpPolicy |
 | Friendly Name | Automatic Maintenance WakeUp Policy |
 | Location | Computer Configuration |
 | Path | Windows Components > Maintenance Scheduler |
@@ -579,6 +588,7 @@ If you disable or do not configure this policy setting, the wake setting as spec
 <!-- AutoRestartDeadlinePeriodInDays-OmaUri-End -->
 
 <!-- AutoRestartDeadlinePeriodInDays-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date.
 
 The restart may happen inside active hours.
@@ -610,7 +620,7 @@ Enabling either of the following two policies will override the above policy:
 
 | Name | Value |
 |:--|:--|
-| Name | AutoRestartDeadline_Title |
+| Name | AutoRestartDeadline |
 | Friendly Name | Specify deadline before auto-restart for update installation |
 | Element Name | Quality Updates (days) |
 | Location | Computer Configuration |
@@ -641,6 +651,7 @@ Enabling either of the following two policies will override the above policy:
 <!-- AutoRestartDeadlinePeriodInDaysForFeatureUpdates-OmaUri-End -->
 
 <!-- AutoRestartDeadlinePeriodInDaysForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Value type is integer. Default is 7 days. Supported values range: 2-30. **Note** that the PC must restart for certain updates to take effect. If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. If you disable or do not configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installations. Always automatically restart at scheduled time.
 <!-- AutoRestartDeadlinePeriodInDaysForFeatureUpdates-Description-End -->
 
@@ -664,7 +675,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic
 
 | Name | Value |
 |:--|:--|
-| Name | AutoRestartDeadline_Title |
+| Name | AutoRestartDeadline |
 | Friendly Name | Specify deadline before auto-restart for update installation |
 | Element Name | Feature Updates (days) |
 | Location | Computer Configuration |
@@ -695,6 +706,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic
 <!-- AutoRestartNotificationSchedule-OmaUri-End -->
 
 <!-- AutoRestartNotificationSchedule-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT Admin to specify the period for auto-restart reminder notifications. The default value is 15 (minutes).
 <!-- AutoRestartNotificationSchedule-Description-End -->
 
@@ -729,7 +741,7 @@ Allows the IT Admin to specify the period for auto-restart reminder notification
 
 | Name | Value |
 |:--|:--|
-| Name | AutoRestartNotificationConfig_Title |
+| Name | AutoRestartNotificationConfig |
 | Friendly Name | Configure auto-restart reminder notifications for updates |
 | Element Name | Period (min) |
 | Location | Computer Configuration |
@@ -760,6 +772,7 @@ Allows the IT Admin to specify the period for auto-restart reminder notification
 <!-- AutoRestartRequiredNotificationDismissal-OmaUri-End -->
 
 <!-- AutoRestartRequiredNotificationDismissal-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enable this policy to specify the method by which the auto-restart required notification is dismissed. When a restart is required to install updates, the auto-restart required notification is displayed. By default, the notification is automatically dismissed after 25 seconds.
 
 The method can be set to require user action to dismiss the notification.
@@ -795,7 +808,7 @@ If you disable or do not configure this policy, the default method will be used.
 
 | Name | Value |
 |:--|:--|
-| Name | AutoRestartRequiredNotificationDismissal_Title |
+| Name | AutoRestartRequiredNotificationDismissal |
 | Friendly Name | Configure auto-restart required notification for updates |
 | Element Name | Method |
 | Location | Computer Configuration |
@@ -826,6 +839,7 @@ If you disable or do not configure this policy, the default method will be used.
 <!-- BranchReadinessLevel-OmaUri-End -->
 
 <!-- BranchReadinessLevel-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value.
 <!-- BranchReadinessLevel-Description-End -->
 
@@ -861,7 +875,7 @@ Allows the IT admin to set which branch a device receives their updates from. As
 
 | Name | Value |
 |:--|:--|
-| Name | DeferFeatureUpdates_Title |
+| Name | DeferFeatureUpdates |
 | Friendly Name | Select when Preview Builds and Feature Updates are received |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
@@ -891,6 +905,7 @@ Allows the IT admin to set which branch a device receives their updates from. As
 <!-- ConfigureDeadlineForFeatureUpdates-OmaUri-End -->
 
 <!-- ConfigureDeadlineForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 Number of days before feature updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity.
 <!-- ConfigureDeadlineForFeatureUpdates-Description-End -->
 
@@ -941,6 +956,7 @@ Number of days before feature updates are installed on devices automatically reg
 <!-- ConfigureDeadlineForQualityUpdates-OmaUri-End -->
 
 <!-- ConfigureDeadlineForQualityUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 Number of days before quality updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity.
 <!-- ConfigureDeadlineForQualityUpdates-Description-End -->
 
@@ -991,6 +1007,7 @@ Number of days before quality updates are installed on devices automatically reg
 <!-- ConfigureDeadlineGracePeriod-OmaUri-End -->
 
 <!-- ConfigureDeadlineGracePeriod-Description-Begin -->
+<!-- Description-Source-DDF -->
 Minimum number of days from update installation until restarts occur automatically for quality updates. This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy is not, then the default value of 2 days will take effect.
 <!-- ConfigureDeadlineGracePeriod-Description-End -->
 
@@ -1041,6 +1058,7 @@ Minimum number of days from update installation until restarts occur automatical
 <!-- ConfigureDeadlineGracePeriodForFeatureUpdates-OmaUri-End -->
 
 <!-- ConfigureDeadlineGracePeriodForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 Minimum number of days from update installation until restarts occur automatically for feature updates. This policy only takes effect when Update/ConfigureDeadlineForFeatureUpdates is configured. If Update/ConfigureDeadlineForFeatureUpdates is configured but this policy is not, then the value configured by Update/ConfigureDeadlineGracePeriod will be used. If Update/ConfigureDeadlineGracePeriod is also not configured, then the default value of 7 days will take effect.
 <!-- ConfigureDeadlineGracePeriodForFeatureUpdates-Description-End -->
 
@@ -1091,6 +1109,7 @@ Minimum number of days from update installation until restarts occur automatical
 <!-- ConfigureDeadlineNoAutoReboot-OmaUri-End -->
 
 <!-- ConfigureDeadlineNoAutoReboot-Description-Begin -->
+<!-- Description-Source-DDF -->
 When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured.
 <!-- ConfigureDeadlineNoAutoReboot-Description-End -->
 
@@ -1149,6 +1168,7 @@ When enabled, devices will not automatically restart outside of active hours unt
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-End -->
 
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured.
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Description-End -->
 
@@ -1207,6 +1227,7 @@ When enabled, devices will not automatically restart outside of active hours unt
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-End -->
 
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured.
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Description-End -->
 
@@ -1265,6 +1286,7 @@ When enabled, devices will not automatically restart outside of active hours unt
 <!-- ConfigureFeatureUpdateUninstallPeriod-OmaUri-End -->
 
 <!-- ConfigureFeatureUpdateUninstallPeriod-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enable enterprises/IT admin to configure feature update uninstall period
 <!-- ConfigureFeatureUpdateUninstallPeriod-Description-End -->
 
@@ -1305,7 +1327,8 @@ Enable enterprises/IT admin to configure feature update uninstall period
 <!-- DeferFeatureUpdatesPeriodInDays-OmaUri-End -->
 
 <!-- DeferFeatureUpdatesPeriodInDays-Description-Begin -->
-Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.  Defers Feature Updates for the specified number of days. Supported values are 0-365 days. **Important**: The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+<!-- Description-Source-DDF -->
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. Supported values are 0-365 days. **Important**: The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
 <!-- DeferFeatureUpdatesPeriodInDays-Description-End -->
 
 <!-- DeferFeatureUpdatesPeriodInDays-Editable-Begin -->
@@ -1328,7 +1351,7 @@ Since this policy is not blocked, you will not get a failure message when you us
 
 | Name | Value |
 |:--|:--|
-| Name | DeferFeatureUpdates_Title |
+| Name | DeferFeatureUpdates |
 | Friendly Name | Select when Preview Builds and Feature Updates are received |
 | Element Name | How many days after a Feature Update is released would you like to defer the update before it is offered to the device? |
 | Location | Computer Configuration |
@@ -1359,6 +1382,7 @@ Since this policy is not blocked, you will not get a failure message when you us
 <!-- DeferQualityUpdatesPeriodInDays-OmaUri-End -->
 
 <!-- DeferQualityUpdatesPeriodInDays-Description-Begin -->
+<!-- Description-Source-DDF -->
 Defers Quality Updates for the specified number of days. Supported values are 0-30.
 <!-- DeferQualityUpdatesPeriodInDays-Description-End -->
 
@@ -1382,7 +1406,7 @@ Defers Quality Updates for the specified number of days. Supported values are 0-
 
 | Name | Value |
 |:--|:--|
-| Name | DeferQualityUpdates_Title |
+| Name | DeferQualityUpdates |
 | Friendly Name | Select when Quality Updates are received |
 | Element Name | After a quality update is released, defer receiving it for this many days |
 | Location | Computer Configuration |
@@ -1413,6 +1437,7 @@ Defers Quality Updates for the specified number of days. Supported values are 0-
 <!-- DeferUpdatePeriod-OmaUri-End -->
 
 <!-- DeferUpdatePeriod-Description-Begin -->
+<!-- Description-Source-DDF -->
 Note. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:Update/RequireDeferUpgrade must be set to 1System/AllowTelemetry must be set to 1 or higherIf the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. OS upgrade:Maximum deferral: 8 monthsDeferral increment: 1 monthUpdate type/notes:Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5Update:Maximum deferral: 1 monthDeferral increment: 1 weekUpdate type/notes:If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0Other/cannot defer:Maximum deferral: No deferralDeferral increment: No deferralUpdate type/notes:Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B
 <!-- DeferUpdatePeriod-Description-End -->
 
@@ -1463,7 +1488,8 @@ Note. Don't use this policy in Windows 10, version 1607 devices, instead use th
 <!-- DeferUpgradePeriod-OmaUri-End -->
 
 <!-- DeferUpgradePeriod-Description-Begin -->
-**Note**: Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect.
+<!-- Description-Source-DDF -->
+NoteSince this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect.
 <!-- DeferUpgradePeriod-Description-End -->
 
 <!-- DeferUpgradePeriod-Editable-Begin -->
@@ -1513,12 +1539,13 @@ Note. Don't use this policy in Windows 10, version 1607 devices, instead use th
 <!-- DetectionFrequency-OmaUri-End -->
 
 <!-- DetectionFrequency-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
 <!-- DetectionFrequency-Description-End -->
 
 <!-- DetectionFrequency-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!NOTE]>
+> [!NOTE]
 > There is a random variant of 0-4 hours applied to the scan frequency, which cannot be configured.
 <!-- DetectionFrequency-Editable-End -->
 
@@ -1569,6 +1596,7 @@ Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
 <!-- DisableDualScan-OmaUri-End -->
 
 <!-- DisableDualScan-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enable this policy to not allow update deferral policies to cause scans against Windows Update.
 
 If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled.
@@ -1605,7 +1633,7 @@ Note: This policy applies only when the intranet Microsoft update service this c
 
 | Name | Value |
 |:--|:--|
-| Name | DisableDualScan_Title |
+| Name | DisableDualScan |
 | Friendly Name | Do not allow update deferral policies to cause scans against Windows Update |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Legacy Policies |
@@ -1626,7 +1654,7 @@ Note: This policy applies only when the intranet Microsoft update service this c
 <!-- DisableWUfBSafeguards-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [17763.1490] and later <br> :heavy_check_mark: Unknown [18362.1110] and later <br> :heavy_check_mark: Unknown [18363.1110] and later <br> :heavy_check_mark: Unknown [19041.546] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1490] and later <br> :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1110] and later <br> :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1110] and later <br> :heavy_check_mark: Windows 10, version 2004 [10.0.19041.546] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
 <!-- DisableWUfBSafeguards-Applicability-End -->
 
 <!-- DisableWUfBSafeguards-OmaUri-Begin -->
@@ -1636,7 +1664,8 @@ Note: This policy applies only when the intranet Microsoft update service this c
 <!-- DisableWUfBSafeguards-OmaUri-End -->
 
 <!-- DisableWUfBSafeguards-Description-Begin -->
-<!-- Description-Not-Found -->
+<!-- Description-Source-DDF -->
+This policy setting specifies that a Windows Update for Business device should skip safeguards.
 <!-- DisableWUfBSafeguards-Description-End -->
 
 <!-- DisableWUfBSafeguards-Editable-Begin -->
@@ -1684,6 +1713,7 @@ Note: This policy applies only when the intranet Microsoft update service this c
 <!-- DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection-OmaUri-End -->
 
 <!-- DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection-Description-Begin -->
+<!-- Description-Source-ADMX-Element -->
 Do not enforce TLS certificate pinning for Windows Update client for detecting updates.
 <!-- DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection-Description-End -->
 
@@ -1748,6 +1778,7 @@ Do not enforce TLS certificate pinning for Windows Update client for detecting u
 <!-- EngagedRestartDeadline-OmaUri-End -->
 
 <!-- EngagedRestartDeadline-Description-Begin -->
+<!-- Description-Source-DDF -->
 For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. **Note**: If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation
 <!-- EngagedRestartDeadline-Description-End -->
 
@@ -1771,7 +1802,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic
 
 | Name | Value |
 |:--|:--|
-| Name | EngagedRestartTransitionSchedule_Title |
+| Name | EngagedRestartTransitionSchedule |
 | Friendly Name | Specify Engaged restart transition and notification schedule for updates |
 | Element Name | Deadline (days)  |
 | Location | Computer Configuration |
@@ -1802,6 +1833,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic
 <!-- EngagedRestartDeadlineForFeatureUpdates-OmaUri-End -->
 
 <!-- EngagedRestartDeadlineForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation
 <!-- EngagedRestartDeadlineForFeatureUpdates-Description-End -->
 
@@ -1825,7 +1857,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic
 
 | Name | Value |
 |:--|:--|
-| Name | EngagedRestartTransitionSchedule_Title |
+| Name | EngagedRestartTransitionSchedule |
 | Friendly Name | Specify Engaged restart transition and notification schedule for updates |
 | Element Name | Deadline (days)  |
 | Location | Computer Configuration |
@@ -1856,6 +1888,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic
 <!-- EngagedRestartSnoozeSchedule-OmaUri-End -->
 
 <!-- EngagedRestartSnoozeSchedule-Description-Begin -->
+<!-- Description-Source-DDF -->
 For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation
 <!-- EngagedRestartSnoozeSchedule-Description-End -->
 
@@ -1879,7 +1912,7 @@ For Quality Updates, this policy specifies the number of days a user can snooze
 
 | Name | Value |
 |:--|:--|
-| Name | EngagedRestartTransitionSchedule_Title |
+| Name | EngagedRestartTransitionSchedule |
 | Friendly Name | Specify Engaged restart transition and notification schedule for updates |
 | Element Name | Snooze (days)  |
 | Location | Computer Configuration |
@@ -1910,6 +1943,7 @@ For Quality Updates, this policy specifies the number of days a user can snooze
 <!-- EngagedRestartSnoozeScheduleForFeatureUpdates-OmaUri-End -->
 
 <!-- EngagedRestartSnoozeScheduleForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation
 <!-- EngagedRestartSnoozeScheduleForFeatureUpdates-Description-End -->
 
@@ -1933,7 +1967,7 @@ For Feature Updates, this policy specifies the number of days a user can snooze
 
 | Name | Value |
 |:--|:--|
-| Name | EngagedRestartTransitionSchedule_Title |
+| Name | EngagedRestartTransitionSchedule |
 | Friendly Name | Specify Engaged restart transition and notification schedule for updates |
 | Element Name | Snooze (days)  |
 | Location | Computer Configuration |
@@ -1964,6 +1998,7 @@ For Feature Updates, this policy specifies the number of days a user can snooze
 <!-- EngagedRestartTransitionSchedule-OmaUri-End -->
 
 <!-- EngagedRestartTransitionSchedule-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending.
 
 You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
@@ -2000,7 +2035,7 @@ Enabling any of the following policies will override the above policy:
 
 | Name | Value |
 |:--|:--|
-| Name | EngagedRestartTransitionSchedule_Title |
+| Name | EngagedRestartTransitionSchedule |
 | Friendly Name | Specify Engaged restart transition and notification schedule for updates |
 | Element Name | Transition (days)  |
 | Location | Computer Configuration |
@@ -2031,6 +2066,7 @@ Enabling any of the following policies will override the above policy:
 <!-- EngagedRestartTransitionScheduleForFeatureUpdates-OmaUri-End -->
 
 <!-- EngagedRestartTransitionScheduleForFeatureUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. Value type is integer. Default value is 7 days. Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation
 <!-- EngagedRestartTransitionScheduleForFeatureUpdates-Description-End -->
 
@@ -2054,7 +2090,7 @@ For Feature Updates, this policy specifies the timing before transitioning from
 
 | Name | Value |
 |:--|:--|
-| Name | EngagedRestartTransitionSchedule_Title |
+| Name | EngagedRestartTransitionSchedule |
 | Friendly Name | Specify Engaged restart transition and notification schedule for updates |
 | Element Name | Transition (days)  |
 | Location | Computer Configuration |
@@ -2085,6 +2121,7 @@ For Feature Updates, this policy specifies the timing before transitioning from
 <!-- ExcludeWUDriversInQualityUpdate-OmaUri-End -->
 
 <!-- ExcludeWUDriversInQualityUpdate-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enable this policy to not include drivers with Windows quality updates.
 
 If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
@@ -2118,7 +2155,7 @@ If you disable or do not configure this policy, Windows Update will include upda
 
 | Name | Value |
 |:--|:--|
-| Name | ExcludeWUDriversInQualityUpdate_Title |
+| Name | ExcludeWUDriversInQualityUpdate |
 | Friendly Name | Do not include drivers with Windows Updates |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
@@ -2149,6 +2186,7 @@ If you disable or do not configure this policy, Windows Update will include upda
 <!-- FillEmptyContentUrls-OmaUri-End -->
 
 <!-- FillEmptyContentUrls-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). **Note**: This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
 <!-- FillEmptyContentUrls-Description-End -->
 
@@ -2211,6 +2249,7 @@ Allows Windows Update Agent to determine the download URL when it is missing fro
 <!-- IgnoreMOAppDownloadLimit-OmaUri-End -->
 
 <!-- IgnoreMOAppDownloadLimit-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators.
 <!-- IgnoreMOAppDownloadLimit-Description-End -->
 
@@ -2267,6 +2306,7 @@ To validate this policy:
 <!-- IgnoreMOUpdateDownloadLimit-OmaUri-End -->
 
 <!-- IgnoreMOUpdateDownloadLimit-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators.
 <!-- IgnoreMOUpdateDownloadLimit-Description-End -->
 
@@ -2323,6 +2363,7 @@ To validate this policy:
 <!-- ManagePreviewBuilds-OmaUri-End -->
 
 <!-- ManagePreviewBuilds-Description-Begin -->
+<!-- Description-Source-DDF -->
 Used to manage Windows 10 Insider Preview builds. Value type is integer.
 <!-- ManagePreviewBuilds-Description-End -->
 
@@ -2356,7 +2397,7 @@ Used to manage Windows 10 Insider Preview builds. Value type is integer.
 
 | Name | Value |
 |:--|:--|
-| Name | ManagePreviewBuilds_Title |
+| Name | ManagePreviewBuilds |
 | Friendly Name | Manage preview builds |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
@@ -2386,6 +2427,7 @@ Used to manage Windows 10 Insider Preview builds. Value type is integer.
 <!-- NoUpdateNotificationsDuringActiveHours-OmaUri-End -->
 
 <!-- NoUpdateNotificationsDuringActiveHours-Description-Begin -->
+<!-- Description-Source-DDF -->
 When enabled, notifications will only be disabled during active hours. Takes effect only if Update/UpdateNotificationLevel is configured to 1 or 2. To ensure that the device stays secure, a notification will still be shown if this option is selected once “Specify deadlines for automatic updates and restarts” deadline has been reached if configured, regardless of active hours.
 <!-- NoUpdateNotificationsDuringActiveHours-Description-End -->
 
@@ -2446,7 +2488,8 @@ When enabled, notifications will only be disabled during active hours. Takes eff
 <!-- PauseDeferrals-OmaUri-End -->
 
 <!-- PauseDeferrals-Description-Begin -->
-**Note**: Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect.
+<!-- Description-Source-DDF -->
+NoteDon't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect.
 <!-- PauseDeferrals-Description-End -->
 
 <!-- PauseDeferrals-Editable-Begin -->
@@ -2504,7 +2547,8 @@ When enabled, notifications will only be disabled during active hours. Takes eff
 <!-- PauseFeatureUpdates-OmaUri-End -->
 
 <!-- PauseFeatureUpdates-Description-Begin -->
-Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.  Allows IT Admins to pause Feature Updates for up to 60 days.
+<!-- Description-Source-DDF -->
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to pause Feature Updates for up to 60 days.
 <!-- PauseFeatureUpdates-Description-End -->
 
 <!-- PauseFeatureUpdates-Editable-Begin -->
@@ -2537,7 +2581,7 @@ Since this policy is not blocked, you will not get a failure message when you us
 
 | Name | Value |
 |:--|:--|
-| Name | DeferFeatureUpdates_Title |
+| Name | DeferFeatureUpdates |
 | Friendly Name | Select when Preview Builds and Feature Updates are received |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
@@ -2567,6 +2611,7 @@ Since this policy is not blocked, you will not get a failure message when you us
 <!-- PauseFeatureUpdatesStartTime-OmaUri-End -->
 
 <!-- PauseFeatureUpdatesStartTime-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
 <!-- PauseFeatureUpdatesStartTime-Description-End -->
 
@@ -2588,7 +2633,7 @@ Specifies the date and time when the IT admin wants to start pausing the Feature
 
 | Name | Value |
 |:--|:--|
-| Name | DeferFeatureUpdates_Title |
+| Name | DeferFeatureUpdates |
 | Friendly Name | Select when Preview Builds and Feature Updates are received |
 | Element Name | Pause Preview Builds or Feature Updates starting |
 | Location | Computer Configuration |
@@ -2619,6 +2664,7 @@ Specifies the date and time when the IT admin wants to start pausing the Feature
 <!-- PauseQualityUpdates-OmaUri-End -->
 
 <!-- PauseQualityUpdates-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows IT Admins to pause Quality Updates.
 <!-- PauseQualityUpdates-Description-End -->
 
@@ -2652,7 +2698,7 @@ Allows IT Admins to pause Quality Updates.
 
 | Name | Value |
 |:--|:--|
-| Name | DeferQualityUpdates_Title |
+| Name | DeferQualityUpdates |
 | Friendly Name | Select when Quality Updates are received |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
@@ -2682,6 +2728,7 @@ Allows IT Admins to pause Quality Updates.
 <!-- PauseQualityUpdatesStartTime-OmaUri-End -->
 
 <!-- PauseQualityUpdatesStartTime-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace.
 <!-- PauseQualityUpdatesStartTime-Description-End -->
 
@@ -2705,7 +2752,7 @@ Specifies the date and time when the IT admin wants to start pausing the Quality
 
 | Name | Value |
 |:--|:--|
-| Name | DeferQualityUpdates_Title |
+| Name | DeferQualityUpdates |
 | Friendly Name | Select when Quality Updates are received |
 | Element Name | Pause Quality Updates starting |
 | Location | Computer Configuration |
@@ -2736,6 +2783,7 @@ Specifies the date and time when the IT admin wants to start pausing the Quality
 <!-- PhoneUpdateRestrictions-OmaUri-End -->
 
 <!-- PhoneUpdateRestrictions-Description-Begin -->
+<!-- Description-Source-DDF -->
 This policy is deprecated. Use Update/RequireUpdateApproval instead.
 <!-- PhoneUpdateRestrictions-Description-End -->
 
@@ -2766,7 +2814,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead.
 <!-- ProductVersion-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | <!-- Not-Found --> |
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
 <!-- ProductVersion-Applicability-End -->
 
 <!-- ProductVersion-OmaUri-Begin -->
@@ -2776,6 +2824,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead.
 <!-- ProductVersion-OmaUri-End -->
 
 <!-- ProductVersion-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables IT administrators to specify the product version associated with the target feature update they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows release information.
 <!-- ProductVersion-Description-End -->
 
@@ -2831,7 +2880,8 @@ Supported value type is a string containing a Windows product. For example, "Win
 <!-- RequireDeferUpgrade-OmaUri-End -->
 
 <!-- RequireDeferUpgrade-Description-Begin -->
-**Note**: Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train.
+<!-- Description-Source-DDF -->
+NoteDon't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train.
 <!-- RequireDeferUpgrade-Description-End -->
 
 <!-- RequireDeferUpgrade-Editable-Begin -->
@@ -2889,7 +2939,8 @@ Supported value type is a string containing a Windows product. For example, "Win
 <!-- RequireUpdateApproval-OmaUri-End -->
 
 <!-- RequireUpdateApproval-Description-Begin -->
-**Note**: If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace.
+<!-- Description-Source-DDF -->
+Note If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace.
 <!-- RequireUpdateApproval-Description-End -->
 
 <!-- RequireUpdateApproval-Editable-Begin -->
@@ -2937,6 +2988,7 @@ Supported value type is a string containing a Windows product. For example, "Win
 <!-- ScheduledInstallDay-OmaUri-End -->
 
 <!-- ScheduledInstallDay-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables the IT admin to schedule the day of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace.
 <!-- ScheduledInstallDay-Description-End -->
 
@@ -3007,6 +3059,7 @@ Enables the IT admin to schedule the day of the update installation. The data ty
 <!-- ScheduledInstallEveryWeek-OmaUri-End -->
 
 <!-- ScheduledInstallEveryWeek-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every week
 <!-- ScheduledInstallEveryWeek-Description-End -->
 
@@ -3071,6 +3124,7 @@ Enables the IT admin to schedule the update installation on the every week. Valu
 <!-- ScheduledInstallFirstWeek-OmaUri-End -->
 
 <!-- ScheduledInstallFirstWeek-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every first week of the month
 <!-- ScheduledInstallFirstWeek-Description-End -->
 
@@ -3135,6 +3189,7 @@ Enables the IT admin to schedule the update installation on the first week of th
 <!-- ScheduledInstallFourthWeek-OmaUri-End -->
 
 <!-- ScheduledInstallFourthWeek-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every fourth week of the month
 <!-- ScheduledInstallFourthWeek-Description-End -->
 
@@ -3199,6 +3254,7 @@ Enables the IT admin to schedule the update installation on the fourth week of t
 <!-- ScheduledInstallSecondWeek-OmaUri-End -->
 
 <!-- ScheduledInstallSecondWeek-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every second week of the month
 <!-- ScheduledInstallSecondWeek-Description-End -->
 
@@ -3263,6 +3319,7 @@ Enables the IT admin to schedule the update installation on the second week of t
 <!-- ScheduledInstallThirdWeek-OmaUri-End -->
 
 <!-- ScheduledInstallThirdWeek-Description-Begin -->
+<!-- Description-Source-DDF -->
 Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every third week of the month
 <!-- ScheduledInstallThirdWeek-Description-End -->
 
@@ -3327,7 +3384,8 @@ Enables the IT admin to schedule the update installation on the third week of th
 <!-- ScheduledInstallTime-OmaUri-End -->
 
 <!-- ScheduledInstallTime-Description-Begin -->
-**Note**: This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
+<!-- Description-Source-DDF -->
+Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
 <!-- ScheduledInstallTime-Description-End -->
 
 <!-- ScheduledInstallTime-Editable-Begin -->
@@ -3385,6 +3443,7 @@ Enables the IT admin to schedule the update installation on the third week of th
 <!-- ScheduleImminentRestartWarning-OmaUri-End -->
 
 <!-- ScheduleImminentRestartWarning-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes).
 <!-- ScheduleImminentRestartWarning-Description-End -->
 
@@ -3417,7 +3476,7 @@ Allows the IT Admin to specify the period for auto-restart imminent warning noti
 
 | Name | Value |
 |:--|:--|
-| Name | RestartWarningSchd_Title |
+| Name | RestartWarnRemind |
 | Friendly Name | Configure auto-restart warning notifications schedule for updates |
 | Element Name | Warning (mins) |
 | Location | Computer Configuration |
@@ -3448,6 +3507,7 @@ Allows the IT Admin to specify the period for auto-restart imminent warning noti
 <!-- ScheduleRestartWarning-OmaUri-End -->
 
 <!-- ScheduleRestartWarning-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed.
 
 Specifies the amount of time prior to a scheduled restart to display the warning reminder to the user.
@@ -3488,7 +3548,7 @@ If you disable or do not configure this policy, the default notification behavio
 
 | Name | Value |
 |:--|:--|
-| Name | RestartWarningSchd_Title |
+| Name | RestartWarnRemind |
 | Friendly Name | Configure auto-restart warning notifications schedule for updates |
 | Element Name | Reminder (hours) |
 | Location | Computer Configuration |
@@ -3519,6 +3579,7 @@ If you disable or do not configure this policy, the default notification behavio
 <!-- SetAutoRestartNotificationDisable-OmaUri-End -->
 
 <!-- SetAutoRestartNotificationDisable-Description-Begin -->
+<!-- Description-Source-DDF -->
 Allows the IT Admin to disable auto-restart notifications for update installations.
 <!-- SetAutoRestartNotificationDisable-Description-End -->
 
@@ -3550,7 +3611,7 @@ Allows the IT Admin to disable auto-restart notifications for update installatio
 
 | Name | Value |
 |:--|:--|
-| Name | AutoRestartNotificationDisable_Title |
+| Name | AutoRestartNotificationDisable |
 | Friendly Name | Turn off auto-restart notifications for update installations |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Legacy Policies |
@@ -3580,7 +3641,10 @@ Allows the IT Admin to disable auto-restart notifications for update installatio
 <!-- SetDisablePauseUXAccess-OmaUri-End -->
 
 <!-- SetDisablePauseUXAccess-Description-Begin -->
-This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user cannot access the Pause updates feature. Value type is integer. Default is 0. Supported values 0, 1.
+<!-- Description-Source-ADMX -->
+This setting allows to remove access to "Pause updates" feature.
+
+Once enabled user access to pause updates is removed.
 <!-- SetDisablePauseUXAccess-Description-End -->
 
 <!-- SetDisablePauseUXAccess-Editable-Begin -->
@@ -3611,8 +3675,13 @@ This policy allows the IT admin to disable the Pause Updates feature. When this
 
 | Name | Value |
 |:--|:--|
-| Name | SetDisablePauseUXAccess |
+| Name | DisablePauseUXAccess |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+| Friendly Name | Remove access to "Pause updates" feature |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage end user experience |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
+| Registry Value Name | SetDisablePauseUXAccess |
+| ADMX File Name | WindowsUpdate.admx |
 <!-- SetDisablePauseUXAccess-GpMapping-End -->
 
 <!-- SetDisablePauseUXAccess-Examples-Begin -->
@@ -3637,7 +3706,10 @@ This policy allows the IT admin to disable the Pause Updates feature. When this
 <!-- SetDisableUXWUAccess-OmaUri-End -->
 
 <!-- SetDisableUXWUAccess-Description-Begin -->
-This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. Value type is integer. Default is 0. Supported values 0, 1.
+<!-- Description-Source-ADMX -->
+This setting allows you to remove access to scan Windows Update.
+
+If you enable this setting user access to Windows Update scan, download and install is removed.
 <!-- SetDisableUXWUAccess-Description-End -->
 
 <!-- SetDisableUXWUAccess-Editable-Begin -->
@@ -3668,8 +3740,13 @@ This policy allows the IT admin to remove access to scan Windows Update. When th
 
 | Name | Value |
 |:--|:--|
-| Name | SetDisableUXWUAccess |
+| Name | DisableUXWUAccess |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+| Friendly Name | Remove access to use all Windows Update features |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage end user experience |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
+| Registry Value Name | SetDisableUXWUAccess |
+| ADMX File Name | WindowsUpdate.admx |
 <!-- SetDisableUXWUAccess-GpMapping-End -->
 
 <!-- SetDisableUXWUAccess-Examples-Begin -->
@@ -3694,6 +3771,7 @@ This policy allows the IT admin to remove access to scan Windows Update. When th
 <!-- SetEDURestart-OmaUri-End -->
 
 <!-- SetEDURestart-Description-Begin -->
+<!-- Description-Source-ADMX -->
 Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the scheduled install time.
 <!-- SetEDURestart-Description-End -->
 
@@ -3725,7 +3803,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po
 
 | Name | Value |
 |:--|:--|
-| Name | SetEDURestart_Title |
+| Name | SetEDURestart |
 | Friendly Name | Update Power Policy for Cart Restarts |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
@@ -3756,7 +3834,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-OmaUri-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Description-Begin -->
-<!-- Description-Not-Found -->
+<!-- Description-Source-Not-Found -->
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Description-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForDriverUpdates-Editable-Begin -->
@@ -3817,7 +3895,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-OmaUri-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Description-Begin -->
-<!-- Description-Not-Found -->
+<!-- Description-Source-Not-Found -->
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Description-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Editable-Begin -->
@@ -3878,7 +3956,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-OmaUri-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Description-Begin -->
-<!-- Description-Not-Found -->
+<!-- Description-Source-Not-Found -->
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Description-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForOtherUpdates-Editable-Begin -->
@@ -3939,7 +4017,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-OmaUri-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Description-Begin -->
-<!-- Description-Not-Found -->
+<!-- Description-Source-Not-Found -->
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Description-End -->
 
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Editable-Begin -->
@@ -4000,6 +4078,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po
 <!-- SetProxyBehaviorForUpdateDetection-OmaUri-End -->
 
 <!-- SetProxyBehaviorForUpdateDetection-Description-Begin -->
+<!-- Description-Source-ADMX-Element -->
 Select the proxy behavior for Windows Update client for detecting updates
 <!-- SetProxyBehaviorForUpdateDetection-Description-End -->
 
@@ -4068,6 +4147,7 @@ This policy setting doesn't impact those customers who have, per Microsoft recom
 <!-- TargetReleaseVersion-OmaUri-End -->
 
 <!-- TargetReleaseVersion-Description-Begin -->
+<!-- Description-Source-DDF -->
 Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows 10 release information.
 <!-- TargetReleaseVersion-Description-End -->
 
@@ -4089,7 +4169,7 @@ Available in Windows 10, version 1803 and later. Enables IT administrators to sp
 
 | Name | Value |
 |:--|:--|
-| Name | TargetReleaseVersion_Title |
+| Name | TargetReleaseVersion |
 | Friendly Name | Select the target Feature Update version |
 | Element Name | Target Version for Feature Updates |
 | Location | Computer Configuration |
@@ -4120,6 +4200,7 @@ Available in Windows 10, version 1803 and later. Enables IT administrators to sp
 <!-- UpdateNotificationLevel-OmaUri-End -->
 
 <!-- UpdateNotificationLevel-Description-Begin -->
+<!-- Description-Source-ADMX -->
 0 (default) – Use the default Windows Update notifications
 1 – Turn off all notifications, excluding restart warnings
 2 – Turn off all notifications, including restart warnings
@@ -4160,7 +4241,7 @@ If you select “Apply only during active hours” in conjunction with Option 1
 
 | Name | Value |
 |:--|:--|
-| Name | UpdateNotificationLevel_Title |
+| Name | UpdateNotificationLevel |
 | Friendly Name | Display options for update notifications |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage end user experience |
@@ -4191,7 +4272,8 @@ If you select “Apply only during active hours” in conjunction with Option 1
 <!-- UpdateServiceUrl-OmaUri-End -->
 
 <!-- UpdateServiceUrl-Description-Begin -->
-**Important**: Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace.
+<!-- Description-Source-DDF -->
+ImportantStarting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace.
 <!-- UpdateServiceUrl-Description-End -->
 
 <!-- UpdateServiceUrl-Editable-Begin -->
@@ -4244,6 +4326,7 @@ If you select “Apply only during active hours” in conjunction with Option 1
 <!-- UpdateServiceUrlAlternate-OmaUri-End -->
 
 <!-- UpdateServiceUrlAlternate-Description-Begin -->
+<!-- Description-Source-DDF -->
 Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. **Note**: If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
 <!-- UpdateServiceUrlAlternate-Description-End -->
 

windows/client-management/mdm/policy-csp-windowsinkworkspace.md

@@ -1,138 +1,158 @@
 ---
-title: Policy CSP - WindowsInkWorkspace
+title: WindowsInkWorkspace Policy CSP
-description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace.
+description: Learn more about the WindowsInkWorkspace Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 12/07/2022
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer: 
-manager: aaroncz
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- WindowsInkWorkspace-Begin -->
 # Policy CSP - WindowsInkWorkspace
 
-<hr/>
+<!-- WindowsInkWorkspace-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- WindowsInkWorkspace-Editable-End -->
 
-<!--Policies-->
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Begin -->
-## WindowsInkWorkspace policies
+## AllowSuggestedAppsInWindowsInkWorkspace
 
-<dl>
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Applicability-Begin -->
-  <dd>
+| Scope | Editions | Applicable OS |
-    <a href="#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace">WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace</a>
+|:--|:--|:--|
-  </dd>
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-  <dd>
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Applicability-End -->
-    <a href="#windowsinkworkspace-allowwindowsinkworkspace">WindowsInkWorkspace/AllowWindowsInkWorkspace</a>
-  </dd>
-</dl>
 
-<hr/>
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
+```
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-OmaUri-End -->
 
-<!--Policy-->
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Description-Begin -->
-<a href="" id="windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
+<!-- Description-Source-ADMX -->
+Allow suggested apps in Windows Ink Workspace
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Description-End -->
 
-<!--SupportedSKUs-->
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Editable-Begin -->
-The table below shows the applicability of Windows:
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Editable-End -->
 
-|Edition|Windows 10|Windows 11|
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-DFProperties-Begin -->
-|--- |--- |--- |
+**Description framework properties**:
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+| Property name | Property value |
-<hr/>
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-DFProperties-End -->
 
-<!--Scope-->
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-AllowedValues-Begin -->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+**Allowed values**:
 
-> [!div class = "checklist"]
+| Value | Description |
-> * Device
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-AllowedValues-End -->
 
-<hr/>
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-GpMapping-Begin -->
+**Group policy mapping**:
 
-<!--/Scope-->
+| Name | Value |
-<!--Description-->
+|:--|:--|
-Show recommended app suggestions in the ink workspace.
+| Name | AllowSuggestedAppsInWindowsInkWorkspace |
+| Friendly Name | Allow suggested apps in Windows Ink Workspace |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Ink Workspace |
+| Registry Key Name | Software\Policies\Microsoft\WindowsInkWorkspace |
+| Registry Value Name | AllowSuggestedAppsInWindowsInkWorkspace |
+| ADMX File Name | WindowsInkWorkspace.admx |
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-GpMapping-End -->
 
-<!--/Description-->
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Examples-Begin -->
-<!--ADMXMapped-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-ADMX Info:
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-Examples-End -->
--   GP Friendly name: *Allow suggested apps in Windows Ink Workspace*
--   GP name: *AllowSuggestedAppsInWindowsInkWorkspace*
--   GP path: *Windows Components/Windows Ink Workspace*
--   GP ADMX file name: *WindowsInkWorkspace.admx*
 
-<!--/ADMXMapped-->
+<!-- AllowSuggestedAppsInWindowsInkWorkspace-End -->
-<!--SupportedValues-->
-The following list shows the supported values:
 
--   0 - app suggestions are not allowed.
+<!-- AllowWindowsInkWorkspace-Begin -->
--   1 (default) -allow app suggestions.
+## AllowWindowsInkWorkspace
 
-<!--/SupportedValues-->
+<!-- AllowWindowsInkWorkspace-Applicability-Begin -->
-<!--/Policy-->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowWindowsInkWorkspace-Applicability-End -->
 
-<hr/>
+<!-- AllowWindowsInkWorkspace-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace
+```
+<!-- AllowWindowsInkWorkspace-OmaUri-End -->
 
-<!--Policy-->
+<!-- AllowWindowsInkWorkspace-Description-Begin -->
-<a href="" id="windowsinkworkspace-allowwindowsinkworkspace"></a>**WindowsInkWorkspace/AllowWindowsInkWorkspace**
+<!-- Description-Source-DDF -->
-
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
 Specifies whether to allow the user to access the ink workspace.
+<!-- AllowWindowsInkWorkspace-Description-End -->
 
-<!--/Description-->
+<!-- AllowWindowsInkWorkspace-Editable-Begin -->
-<!--ADMXMapped-->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-ADMX Info:
+<!-- AllowWindowsInkWorkspace-Editable-End -->
--   GP Friendly name: *Allow Windows Ink Workspace*
--   GP name: *AllowWindowsInkWorkspace*
--   GP element: *AllowWindowsInkWorkspaceDropdown*
--   GP path: *Windows Components/Windows Ink Workspace*
--   GP ADMX file name: *WindowsInkWorkspace.admx*
 
-<!--/ADMXMapped-->
+<!-- AllowWindowsInkWorkspace-DFProperties-Begin -->
-<!--SupportedValues-->
+**Description framework properties**:
-Supported value type is int. The following list shows the supported values:
 
--   0 - access to ink workspace is disabled. The feature is turned off.
+| Property name | Property value |
--   1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
+|:--|:--|
--   2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 2 |
+<!-- AllowWindowsInkWorkspace-DFProperties-End -->
 
-<!--/SupportedValues-->
+<!-- AllowWindowsInkWorkspace-AllowedValues-Begin -->
-<!--/Policy-->
+**Allowed values**:
-<hr/>
 
-<!--/Policies-->
+| Value | Description |
+|:--|:--|
+| 0 | access to ink workspace is disabled. The feature is turned off. |
+| 1 | ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. |
+| 2 (Default) | ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. |
+<!-- AllowWindowsInkWorkspace-AllowedValues-End -->
 
-## Related topics
+<!-- AllowWindowsInkWorkspace-GpMapping-Begin -->
+**Group policy mapping**:
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
+| Name | Value |
+|:--|:--|
+| Name | AllowWindowsInkWorkspace |
+| Friendly Name | Allow Windows Ink Workspace |
+| Element Name | Choose one of the following actions |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Ink Workspace |
+| Registry Key Name | Software\Policies\Microsoft\WindowsInkWorkspace |
+| ADMX File Name | WindowsInkWorkspace.admx |
+<!-- AllowWindowsInkWorkspace-GpMapping-End -->
+
+<!-- AllowWindowsInkWorkspace-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowWindowsInkWorkspace-Examples-End -->
+
+<!-- AllowWindowsInkWorkspace-End -->
+
+<!-- WindowsInkWorkspace-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- WindowsInkWorkspace-CspMoreInfo-End -->
+
+<!-- WindowsInkWorkspace-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)

windows/client-management/mdm/policy-csp-windowspowershell.md

@@ -1,92 +1,103 @@
 ---
-title: Policy CSP - WindowsPowerShell
+title: WindowsPowerShell Policy CSP
-description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.
+description: Learn more about the WindowsPowerShell Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 12/07/2022
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer: 
-manager: aaroncz
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- WindowsPowerShell-Begin -->
 # Policy CSP - WindowsPowerShell
 
-<hr/>
-
-<!--Policies-->
-## WindowsPowerShell policies
-
-<dl>
-  <dd>
-    <a href="#windowspowershell-turnonpowershellscriptblocklogging">WindowsPowerShell/TurnOnPowerShellScriptBlockLogging</a>
-  </dd>
-</dl>
-
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="windowspowershell-turnonpowershellscriptblocklogging"></a>**WindowsPowerShell/TurnOnPowerShellScriptBlockLogging**
-
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
-
-If you disable this policy setting, logging of PowerShell script input is disabled.
-
-If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs.
-
-> [!NOTE]
-> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
-
-<!--/Description-->
 > [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 >
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
-<!--ADMXBacked-->
+<!-- WindowsPowerShell-Editable-Begin -->
-ADMX Info:
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
--   GP Friendly name: *Turn on PowerShell Script Block Logging*
+<!-- WindowsPowerShell-Editable-End -->
--   GP name: *EnableScriptBlockLogging*
--   GP path: *Windows Components/Windows PowerShell*
--   GP ADMX file name: *PowerShellExecutionPolicy.admx*
 
-<!--/ADMXBacked-->
+<!-- TurnOnPowerShellScriptBlockLogging-Begin -->
-<!--/Policy-->
+## TurnOnPowerShellScriptBlockLogging
-<hr/>
 
-<!--/Policies-->
+<!-- TurnOnPowerShellScriptBlockLogging-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- TurnOnPowerShellScriptBlockLogging-Applicability-End -->
 
-## Related topics
+<!-- TurnOnPowerShellScriptBlockLogging-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging
+```
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging
+```
+<!-- TurnOnPowerShellScriptBlockLogging-OmaUri-End -->
+
+<!-- TurnOnPowerShellScriptBlockLogging-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting,
+Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
+
+If you disable this policy setting, logging of PowerShell script input is disabled.
+
+If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script
+starts or stops. Enabling Invocation Logging generates a high volume of event logs.
+
+Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
+<!-- TurnOnPowerShellScriptBlockLogging-Description-End -->
+
+<!-- TurnOnPowerShellScriptBlockLogging-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TurnOnPowerShellScriptBlockLogging-Editable-End -->
+
+<!-- TurnOnPowerShellScriptBlockLogging-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- TurnOnPowerShellScriptBlockLogging-DFProperties-End -->
+
+<!-- TurnOnPowerShellScriptBlockLogging-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableScriptBlockLogging |
+| Friendly Name | Turn on PowerShell Script Block Logging |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows PowerShell |
+| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging |
+| Registry Value Name | EnableScriptBlockLogging |
+| ADMX File Name | PowerShellExecutionPolicy.admx |
+<!-- TurnOnPowerShellScriptBlockLogging-AdmxBacked-End -->
+
+<!-- TurnOnPowerShellScriptBlockLogging-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- TurnOnPowerShellScriptBlockLogging-Examples-End -->
+
+<!-- TurnOnPowerShellScriptBlockLogging-End -->
+
+<!-- WindowsPowerShell-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- WindowsPowerShell-CspMoreInfo-End -->
+
+<!-- WindowsPowerShell-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)

windows/client-management/mdm/policy-csp-windowssandbox.md

@@ -1,465 +1,417 @@
 ---
-title: Policy CSP - WindowsSandbox
+title: WindowsSandbox Policy CSP
-description: Policy CSP - WindowsSandbox
+description: Learn more about the WindowsSandbox Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 12/07/2022
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
+ms.topic: reference
-ms.localizationpriority: medium
-ms.date: 10/14/2020
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- WindowsSandbox-Begin -->
 # Policy CSP - WindowsSandbox
 
+<!-- WindowsSandbox-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- WindowsSandbox-Editable-End -->
 
-<hr/>
+<!-- AllowAudioInput-Begin -->
+## AllowAudioInput
 
-<!--Policies-->
+<!-- AllowAudioInput-Applicability-Begin -->
-## WindowsSandbox policies
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AllowAudioInput-Applicability-End -->
 
-<dl>
+<!-- AllowAudioInput-OmaUri-Begin -->
-  <dd>
+```Device
-    <a href="#windowssandbox-allowaudioinput">WindowsSandbox/AllowAudioInput</a>
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowAudioInput
-  </dd>
+```
-  <dd>
+<!-- AllowAudioInput-OmaUri-End -->
-    <a href="#windowssandbox-allowclipboardredirection">WindowsSandbox/AllowClipboardRedirection</a>
-  </dd>
-  <dd>
-    <a href="#windowssandbox-allownetworking">WindowsSandbox/AllowNetworking</a>
-  </dd>
-  <dd>
-    <a href="#windowssandbox-allowprinterredirection">WindowsSandbox/AllowPrinterRedirection</a>
-  </dd>
-  <dd>
-    <a href="#windowssandbox-allowvgpu">WindowsSandbox/AllowVGPU</a>
-  </dd>
-  <dd>
-    <a href="#windowssandbox-allowvideoinput">WindowsSandbox/AllowVideoInput</a>
-  </dd>
-</dl>
 
-<hr/>
+<!-- AllowAudioInput-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting enables or disables audio input to the Sandbox.
 
-<!--Policy-->
+If you enable this policy setting, Windows Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting.
-<a href="" id="windowssandbox-allowaudioinput"></a>**WindowsSandbox/AllowAudioInput**
 
-Available in the latest Windows 10 insider preview build.
+If you disable this policy setting, Windows Sandbox will not be able to receive audio input from the user. Applications using a microphone may not function properly with this setting.
 
-<!--SupportedSKUs-->
+If you do not configure this policy setting, audio input will be enabled.
-The table below shows the applicability of Windows:
 
-|Edition|Windows 10|Windows 11|
+Note that there may be security implications of exposing host audio input to the container.
-|--- |--- |--- |
+<!-- AllowAudioInput-Description-End -->
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows the IT admin to enable or disable audio input to the Sandbox.
-
-> [!NOTE]
-> There may be security implications of exposing host audio input to the container.
-
-If this policy isn't configured, end-users get the default behavior (audio input enabled).
-
-If audio input is disabled, a user won't be able to enable audio input from their own configuration file.
-
-If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure.
 
+<!-- AllowAudioInput-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > You must restart Windows Sandbox for any changes to this policy setting to take effect.
+<!-- AllowAudioInput-Editable-End -->
 
-<!--/Description-->
+<!-- AllowAudioInput-DFProperties-Begin -->
-<!--ADMXMapped-->
+**Description framework properties**:
-ADMX Info:
 
-- GP Friendly name: *Allow audio input in Windows Sandbox*
+| Property name | Property value |
-- GP name: *AllowAudioInput*
+|:--|:--|
-- GP path: *Windows Components/Windows Sandbox*
+| Format | int |
-- GP ADMX file name: *WindowsSandbox.admx*
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- AllowAudioInput-DFProperties-End -->
 
-<!--/ADMXMapped-->
+<!-- AllowAudioInput-GpMapping-Begin -->
-<!--SupportedValues-->
+**Group policy mapping**:
-The following are the supported values:
 
-- 0 - Disabled
+| Name | Value |
-- 1 (default) - Enabled
+|:--|:--|
+| Name | AllowAudioInput |
+| Friendly Name | Allow audio input in Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowAudioInput |
+| ADMX File Name | WindowsSandbox.admx |
+<!-- AllowAudioInput-GpMapping-End -->
 
-<!--/SupportedValues-->
+<!-- AllowAudioInput-Examples-Begin -->
-<!--Example-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowAudioInput-Examples-End -->
 
-<!--/Example-->
+<!-- AllowAudioInput-End -->
-<!--Validation-->
 
-<!--/Validation-->
+<!-- AllowClipboardRedirection-Begin -->
-<!--/Policy-->
+## AllowClipboardRedirection
 
-<hr/>
+<!-- AllowClipboardRedirection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AllowClipboardRedirection-Applicability-End -->
 
+<!-- AllowClipboardRedirection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowClipboardRedirection
+```
+<!-- AllowClipboardRedirection-OmaUri-End -->
 
-<!--Policy-->
+<!-- AllowClipboardRedirection-Description-Begin -->
-<a href="" id="windowssandbox-allowclipboardredirection"></a>**WindowsSandbox/AllowClipboardRedirection**
+<!-- Description-Source-ADMX -->
+This policy setting enables or disables clipboard sharing with the sandbox.
 
-Available in the latest Windows 10 insider preview build.
+If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted.
 
-<!--SupportedSKUs-->
+If you disable this policy setting, copy and paste in and out of Sandbox will be restricted.
-The table below shows the applicability of Windows:
 
-|Edition|Windows 10|Windows 11|
+If you do not configure this policy setting, clipboard sharing will be enabled.
-|--- |--- |--- |
+<!-- AllowClipboardRedirection-Description-End -->
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
-
-If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled).
-
-If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file.
-
-If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure.
 
+<!-- AllowClipboardRedirection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > You must restart Windows Sandbox for any changes to this policy setting to take effect.
+<!-- AllowClipboardRedirection-Editable-End -->
 
-<!--/Description-->
+<!-- AllowClipboardRedirection-DFProperties-Begin -->
-<!--ADMXMapped-->
+**Description framework properties**:
-ADMX Info:
 
-- GP Friendly name: *Allow clipboard sharing with Windows Sandbox*
+| Property name | Property value |
-- GP name: *AllowClipboardRedirection*
+|:--|:--|
-- GP path: *Windows Components/Windows Sandbox*
+| Format | int |
-- GP ADMX file name: *WindowsSandbox.admx*
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- AllowClipboardRedirection-DFProperties-End -->
 
-<!--/ADMXMapped-->
+<!-- AllowClipboardRedirection-GpMapping-Begin -->
-<!--SupportedValues-->
+**Group policy mapping**:
-The following are the supported values:
 
-- 0 - Disabled
+| Name | Value |
-- 1 (default) - Enabled
+|:--|:--|
+| Name | AllowClipboardRedirection |
+| Friendly Name | Allow clipboard sharing with Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowClipboardRedirection |
+| ADMX File Name | WindowsSandbox.admx |
+<!-- AllowClipboardRedirection-GpMapping-End -->
 
+<!-- AllowClipboardRedirection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowClipboardRedirection-Examples-End -->
 
-<!--/SupportedValues-->
+<!-- AllowClipboardRedirection-End -->
-<!--Example-->
 
-<!--/Example-->
+<!-- AllowNetworking-Begin -->
-<!--Validation-->
+## AllowNetworking
 
-<!--/Validation-->
+<!-- AllowNetworking-Applicability-Begin -->
-<!--/Policy-->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AllowNetworking-Applicability-End -->
 
-<hr/>
+<!-- AllowNetworking-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowNetworking
+```
+<!-- AllowNetworking-OmaUri-End -->
 
-<!--Policy-->
+<!-- AllowNetworking-Description-Begin -->
-<a href="" id="windowssandbox-allownetworking"></a>**WindowsSandbox/AllowNetworking**
+<!-- Description-Source-ADMX -->
+This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
 
-Available in the latest Windows 10 insider preview build.
+If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtual NIC.
 
-<!--SupportedSKUs-->
+If you disable this policy setting, networking is disabled in Windows Sandbox.
-The table below shows the applicability of Windows:
 
-|Edition|Windows 10|Windows 11|
+If you do not configure this policy setting, networking will be enabled.
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+Note that enabling networking can expose untrusted applications to the internal network.
-<hr/>
+<!-- AllowNetworking-Description-End -->
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network.
-
-If this policy isn't configured, end-users get the default behavior (networking enabled).
-
-If networking is disabled, a user won't be able to enable networking from their own configuration file.
-
-If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure.
 
+<!-- AllowNetworking-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > You must restart Windows Sandbox for any changes to this policy setting to take effect.
+<!-- AllowNetworking-Editable-End -->
 
-<!--/Description-->
+<!-- AllowNetworking-DFProperties-Begin -->
-<!--ADMXMapped-->
+**Description framework properties**:
-ADMX Info:
 
-- GP Friendly name: *Allow networking in Windows Sandbox*
+| Property name | Property value |
-- GP name: *AllowNetworking*
+|:--|:--|
-- GP path: *Windows Components/Windows Sandbox*
+| Format | int |
-- GP ADMX file name: *WindowsSandbox.admx*
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- AllowNetworking-DFProperties-End -->
 
-<!--/ADMXMapped-->
+<!-- AllowNetworking-GpMapping-Begin -->
-<!--SupportedValues-->
+**Group policy mapping**:
-The following are the supported values:
-- 0 - Disabled
-- 1 (default) - Enabled
 
-<!--/SupportedValues-->
+| Name | Value |
-<!--Example-->
+|:--|:--|
+| Name | AllowNetworking |
+| Friendly Name | Allow networking in Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowNetworking |
+| ADMX File Name | WindowsSandbox.admx |
+<!-- AllowNetworking-GpMapping-End -->
 
-<!--/Example-->
+<!-- AllowNetworking-Examples-Begin -->
-<!--Validation-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowNetworking-Examples-End -->
 
-<!--/Validation-->
+<!-- AllowNetworking-End -->
-<!--/Policy-->
 
-<hr/>
+<!-- AllowPrinterRedirection-Begin -->
+## AllowPrinterRedirection
 
-<!--Policy-->
+<!-- AllowPrinterRedirection-Applicability-Begin -->
-<a href="" id="windowssandbox-allowprinterredirection"></a>**WindowsSandbox/AllowPrinterRedirection**
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AllowPrinterRedirection-Applicability-End -->
 
-Available in the latest Windows 10 insider preview build.
+<!-- AllowPrinterRedirection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowPrinterRedirection
+```
+<!-- AllowPrinterRedirection-OmaUri-End -->
 
-<!--SupportedSKUs-->
+<!-- AllowPrinterRedirection-Description-Begin -->
-The table below shows the applicability of Windows:
+<!-- Description-Source-ADMX -->
+This policy setting enables or disables printer sharing from the host into the Sandbox.
 
-|Edition|Windows 10|Windows 11|
+If you enable this policy setting, host printers will be shared into Windows Sandbox.
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+If you disable this policy setting, Windows Sandbox will not be able to view printers from the host.
-<hr/>
 
-<!--Scope-->
+If you do not configure this policy setting, printer redirection will be disabled.
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- AllowPrinterRedirection-Description-End -->
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
-
-If this policy isn't configured, end-users get the default behavior (printer sharing disabled).
-
-If printer sharing is disabled, a user won't be able to enable printer sharing from their own configuration file.
-
-If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure.
 
+<!-- AllowPrinterRedirection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > You must restart Windows Sandbox for any changes to this policy setting to take effect.
+<!-- AllowPrinterRedirection-Editable-End -->
 
-<!--/Description-->
+<!-- AllowPrinterRedirection-DFProperties-Begin -->
-<!--ADMXMapped-->
+**Description framework properties**:
-ADMX Info:
 
-- GP Friendly name: *Allow printer sharing with Windows Sandbox*
+| Property name | Property value |
-- GP name: *AllowPrinterRedirection*
+|:--|:--|
-- GP path: *Windows Components/Windows Sandbox*
+| Format | int |
-- GP ADMX file name: *WindowsSandbox.admx*
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- AllowPrinterRedirection-DFProperties-End -->
 
-<!--/ADMXMapped-->
+<!-- AllowPrinterRedirection-GpMapping-Begin -->
-<!--SupportedValues-->
+**Group policy mapping**:
-The following are the supported values:
 
-- 0 - Disabled
+| Name | Value |
-- 1 (default) - Enabled
+|:--|:--|
+| Name | AllowPrinterRedirection |
+| Friendly Name | Allow printer sharing with Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowPrinterRedirection |
+| ADMX File Name | WindowsSandbox.admx |
+<!-- AllowPrinterRedirection-GpMapping-End -->
 
-<!--/SupportedValues-->
+<!-- AllowPrinterRedirection-Examples-Begin -->
-<!--Example-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowPrinterRedirection-Examples-End -->
 
-<!--/Example-->
+<!-- AllowPrinterRedirection-End -->
-<!--Validation-->
 
-<!--/Validation-->
+<!-- AllowVGPU-Begin -->
-<!--/Policy-->
+## AllowVGPU
 
-<hr/>
+<!-- AllowVGPU-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AllowVGPU-Applicability-End -->
 
-<!--Policy-->
+<!-- AllowVGPU-OmaUri-Begin -->
-<a href="" id="windowssandbox-allowvgpu"></a>**WindowsSandbox/AllowVGPU**
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVGPU
+```
+<!-- AllowVGPU-OmaUri-End -->
 
-Available in the latest Windows 10 insider preview build.
+<!-- AllowVGPU-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting is to enable or disable the virtualized GPU.
 
-<!--SupportedSKUs-->
+If you enable this policy setting, vGPU will be supported in the Windows Sandbox.
-The table below shows the applicability of Windows:
 
-|Edition|Windows 10|Windows 11|
+If you disable this policy setting, Windows Sandbox will use software rendering, which can be slower than virtualized GPU.
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+If you do not configure this policy setting, vGPU will be enabled.
-<hr/>
 
-<!--Scope-->
+Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox.
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- AllowVGPU-Description-End -->
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox.
-
-> [!NOTE]
-> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox.
-
-If this policy isn't configured, end-users get the default behavior (vGPU is disabled).
-
-If vGPU is disabled, a user won't be able to enable vGPU support from their own configuration file.
-
-If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure.
 
+<!-- AllowVGPU-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > You must restart Windows Sandbox for any changes to this policy setting to take effect.
+<!-- AllowVGPU-Editable-End -->
 
-<!--/Description-->
+<!-- AllowVGPU-DFProperties-Begin -->
-<!--ADMXMapped-->
+**Description framework properties**:
-ADMX Info:
 
-- GP Friendly name: *Allow vGPU sharing for Windows Sandbox*
+| Property name | Property value |
-- GP name: *AllowVGPU*
+|:--|:--|
-- GP path: *Windows Components/Windows Sandbox*
+| Format | int |
-- GP ADMX file name: *WindowsSandbox.admx*
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- AllowVGPU-DFProperties-End -->
 
-<!--/ADMXMapped-->
+<!-- AllowVGPU-GpMapping-Begin -->
-<!--SupportedValues-->
+**Group policy mapping**:
-The following are the supported values:
 
-- 0 (default) - Disabled
+| Name | Value |
-- 1 - Enabled
+|:--|:--|
+| Name | AllowVGPU |
+| Friendly Name | Allow vGPU sharing for Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowVGPU |
+| ADMX File Name | WindowsSandbox.admx |
+<!-- AllowVGPU-GpMapping-End -->
 
-<!--/SupportedValues-->
+<!-- AllowVGPU-Examples-Begin -->
-<!--Example-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowVGPU-Examples-End -->
 
-<!--/Example-->
+<!-- AllowVGPU-End -->
-<!--Validation-->
 
-<!--/Validation-->
+<!-- AllowVideoInput-Begin -->
-<!--/Policy-->
+## AllowVideoInput
 
-<hr/>
+<!-- AllowVideoInput-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AllowVideoInput-Applicability-End -->
 
-<!--Policy-->
+<!-- AllowVideoInput-OmaUri-Begin -->
-<a href="" id="windowssandbox-allowvideoinput"></a>**WindowsSandbox/AllowVideoInput**
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVideoInput
+```
+<!-- AllowVideoInput-OmaUri-End -->
 
-Available in the latest Windows 10 insider preview build.
+<!-- AllowVideoInput-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting enables or disables video input to the Sandbox.
 
-<!--SupportedSKUs-->
+If you enable this policy setting, video input is enabled in Windows Sandbox.
-The table below shows the applicability of Windows:
 
-|Edition|Windows 10|Windows 11|
+If you disable this policy setting, video input is disabled in Windows Sandbox. Applications using video input may not function properly in Windows Sandbox.
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
 
-<!--/SupportedSKUs-->
+If you do not configure this policy setting, video input will be disabled. Applications that use video input may not function properly in Windows Sandbox.
-<hr/>
 
-<!--Scope-->
+Note that there may be security implications of exposing host video input to the container.
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- AllowVideoInput-Description-End -->
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows the IT admin to enable or disable video input to the Sandbox.
-
-> [!NOTE]
-> There may be security implications of exposing host video input to the container.
-
-If this policy isn't configured, users get the default behavior (video input disabled).
-
-If video input is disabled, users won't be able to enable video input from their own configuration file.
-
-If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure.
 
+<!-- AllowVideoInput-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > You must restart Windows Sandbox for any changes to this policy setting to take effect.
+<!-- AllowVideoInput-Editable-End -->
 
-<!--/Description-->
+<!-- AllowVideoInput-DFProperties-Begin -->
-<!--ADMXMapped-->
+**Description framework properties**:
-ADMX Info:
-- GP Friendly name: *Allow video input in Windows Sandbox*
-- GP name: *AllowVideoInput*
-- GP path: *Windows Components/Windows Sandbox*
-- GP ADMX file name: *WindowsSandbox.admx*
 
-<!--/ADMXMapped-->
+| Property name | Property value |
-<!--SupportedValues-->
+|:--|:--|
-The following are the supported values:
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value  | 1 |
+<!-- AllowVideoInput-DFProperties-End -->
 
-- 0 (default) - Disabled
+<!-- AllowVideoInput-GpMapping-Begin -->
-- 1 - Enabled
+**Group policy mapping**:
 
-<!--/SupportedValues-->
+| Name | Value |
-<!--Example-->
+|:--|:--|
+| Name | AllowVideoInput |
+| Friendly Name | Allow video input in Windows Sandbox |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Sandbox |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
+| Registry Value Name | AllowVideoInput |
+| ADMX File Name | WindowsSandbox.admx |
+<!-- AllowVideoInput-GpMapping-End -->
 
-<!--/Example-->
+<!-- AllowVideoInput-Examples-Begin -->
-<!--Validation-->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowVideoInput-Examples-End -->
 
-<!--/Validation-->
+<!-- AllowVideoInput-End -->
-<!--/Policy-->
 
-<hr/>
+<!-- WindowsSandbox-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- WindowsSandbox-CspMoreInfo-End -->
 
-<!--/Policies-->
+<!-- WindowsSandbox-End -->
 
-## Related topics
+## Related articles
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)

windows/client-management/mdm/toc.yml

@@ -502,6 +502,8 @@ items:
           href: policy-csp-settings.md
         - name: SettingsSync
           href: policy-csp-settingssync.md
+        - name: SmartScreen
+          href: policy-csp-smartscreen.md
         - name: Speech
           href: policy-csp-speech.md
         - name: Start
@@ -544,8 +546,6 @@ items:
           href: policy-csp-windowsconnectionmanager.md
         - name: WindowsDefenderSecurityCenter
           href: policy-csp-windowsdefendersecuritycenter.md
-        - name: WindowsDefenderSmartScreen
-          href: policy-csp-smartscreen.md
         - name: WindowsInkWorkspace
           href: policy-csp-windowsinkworkspace.md
         - name: WindowsLogon