deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into wufbr-faq-7760853

Browse Source
This commit is contained in:
Meghan Stewart 2023-04-03 08:19:18 -07:00
commit ded109f226
163 changed files with 7929 additions and 1813 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
includes/ai-disclaimer-generic.md Normal file
View File

@ -0,0 +1,10 @@
---
author: aczechowski
ms.author: aaroncz
ms.date: 03/31/2023
ms.topic: include
ms.prod: windows-client
---
> [!NOTE]
> This article was partially created with the help of artificial intelligence. Before publishing, an author reviewed and revised the content as needed. For more information, see [Our principles for using AI-generated content in Microsoft Learn](/azure/principles-for-ai-generated-content).

6
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -946,9 +946,9 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Co
3. Use WMI Interface: 3. Use WMI Interface:
```powershell ```powershell
$namespace = "root\cimv2\mdm\dmmap" $namespace = "root\cimv2\mdm\dmmap"
$policyClassName = "MDM_AppControl_Policies" $policyClassName = "MDM_ApplicationControl_Policies01_01"
$policyBase64 = … $policyBase64 = "<base64policy>"
``` ```
### Deploying a policy via WMI Bridge ### Deploying a policy via WMI Bridge

32
windows/client-management/mdm/bitlocker-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -176,7 +176,7 @@ require reinstallation of Windows.
> [!NOTE] > [!NOTE]
> This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. > This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
The expected values for this policy are The expected values for this policy are:
1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed. 1 = This is the default, when the policy is not set. **Warning** prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
@ -317,11 +317,16 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
<!-- Device-EncryptionMethodByDriveType-Description-Begin --> <!-- Device-EncryptionMethodByDriveType-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
- If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). - If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
- If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script." If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.
- If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
> [!NOTE]
> This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
<!-- Device-EncryptionMethodByDriveType-Description-End --> <!-- Device-EncryptionMethodByDriveType-Description-End -->
<!-- Device-EncryptionMethodByDriveType-Editable-Begin --> <!-- Device-EncryptionMethodByDriveType-Editable-Begin -->
@ -369,11 +374,12 @@ Sample value for this node to enable this policy and set the encryption methods
| Name | Value | | Name | Value |
|:--|:--| |:--|:--|
| Name | EncryptionMethodWithXts_Name | | Name | RDVDenyWriteAccess_Name |
| Friendly Name | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) | | Friendly Name | Deny write access to removable drives not protected by BitLocker |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > BitLocker Drive Encryption | | Path | Windows Components > BitLocker Drive Encryption > Removable Data Drives |
| Registry Key Name | SOFTWARE\Policies\Microsoft\FVE | | Registry Key Name | System\CurrentControlSet\Policies\Microsoft\FVE |
| Registry Value Name | RDVDenyWriteAccess |
| ADMX File Name | VolumeEncryption.admx | | ADMX File Name | VolumeEncryption.admx |
<!-- Device-EncryptionMethodByDriveType-AdmxBacked-End --> <!-- Device-EncryptionMethodByDriveType-AdmxBacked-End -->
@ -1578,10 +1584,10 @@ The Windows touch keyboard (such as that used by tablets) isn't available in the
- If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. - If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
**Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include **Note** that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include:
- Configure TPM startup PIN Required/Allowed - Configure TPM startup PIN: Required/Allowed
- Configure TPM startup key and PIN Required/Allowed - Configure TPM startup key and PIN: Required/Allowed
- Configure use of passwords for operating system drives. - Configure use of passwords for operating system drives.
<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Description-End --> <!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Description-End -->
<!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Editable-Begin --> <!-- Device-SystemDrivesEnablePrebootInputProtectorsOnSlates-Editable-Begin -->

4
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/22/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -179,7 +179,7 @@ The following XML file contains the device description framework (DDF) for the B
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ADMX"> <MSFT:AllowedValues ValueType="ADMX">
<MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="EncryptionMethodWithXts_Name" File="VolumeEncryption.admx" /> <MSFT:AdmxBacked Area="VolumeEncryption~AT~WindowsComponents~FVECategory~FVERDVCategory" Name="RDVDenyWriteAccess_Name" File="VolumeEncryption.admx" />
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>

95
windows/client-management/mdm/defender-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -58,6 +58,7 @@ The following list shows the Defender configuration service provider nodes:
- [EnableFileHashComputation](#configurationenablefilehashcomputation) - [EnableFileHashComputation](#configurationenablefilehashcomputation)
- [EngineUpdatesChannel](#configurationengineupdateschannel) - [EngineUpdatesChannel](#configurationengineupdateschannel)
- [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins) - [HideExclusionsFromLocalAdmins](#configurationhideexclusionsfromlocaladmins)
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled) - [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
- [PassiveRemediation](#configurationpassiveremediation) - [PassiveRemediation](#configurationpassiveremediation)
@ -65,6 +66,7 @@ The following list shows the Defender configuration service provider nodes:
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled) - [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime) - [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
- [SecuredDevicesConfiguration](#configurationsecureddevicesconfiguration)
- [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel) - [SecurityIntelligenceUpdatesChannel](#configurationsecurityintelligenceupdateschannel)
- [SupportLogLocation](#configurationsupportloglocation) - [SupportLogLocation](#configurationsupportloglocation)
- [TamperProtection](#configurationtamperprotection) - [TamperProtection](#configurationtamperprotection)
@ -1622,7 +1624,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-Begin --> <!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled. This policy setting controls whether or not exclusions are visible to local admins. To control local users exclusions visibility use HideExclusionsFromLocalUsers. If HideExclusionsFromLocalAdmins is set then HideExclusionsFromLocalUsers will be implicitly set.
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-End --> <!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-End -->
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Editable-Begin --> <!-- Device-Configuration-HideExclusionsFromLocalAdmins-Editable-Begin -->
@ -1656,6 +1658,55 @@ This policy setting controls whether or not exclusions are visible to local admi
<!-- Device-Configuration-HideExclusionsFromLocalAdmins-End --> <!-- Device-Configuration-HideExclusionsFromLocalAdmins-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Begin -->
### Configuration/HideExclusionsFromLocalUsers
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Applicability-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalUsers
```
<!-- Device-Configuration-HideExclusionsFromLocalUsers-OmaUri-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls whether or not exclusions are visible to local users. If HideExclusionsFromLocalAdmins is set then this policy will be implicitly set.
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Description-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Editable-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-HideExclusionsFromLocalUsers-DFProperties-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell. |
| 0 (Default) | If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell. |
<!-- Device-Configuration-HideExclusionsFromLocalUsers-AllowedValues-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-Examples-End -->
<!-- Device-Configuration-HideExclusionsFromLocalUsers-End -->
<!-- Device-Configuration-IntelTDTEnabled-Begin --> <!-- Device-Configuration-IntelTDTEnabled-Begin -->
### Configuration/IntelTDTEnabled ### Configuration/IntelTDTEnabled
@ -1696,6 +1747,7 @@ This policy setting configures the Intel TDT integration level for Intel TDT-cap
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat. | | 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat. |
| 1 | If you configure this setting to enabled, Intel TDT integration will turn on. |
| 2 | If you configure this setting to disabled, Intel TDT integration will turn off. | | 2 | If you configure this setting to disabled, Intel TDT integration will turn off. |
<!-- Device-Configuration-IntelTDTEnabled-AllowedValues-End --> <!-- Device-Configuration-IntelTDTEnabled-AllowedValues-End -->
@ -1996,6 +2048,45 @@ This setting allows you to configure the scheduler randomization in hours. The r
<!-- Device-Configuration-SchedulerRandomizationTime-End --> <!-- Device-Configuration-SchedulerRandomizationTime-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Begin -->
### Configuration/SecuredDevicesConfiguration
<!-- Device-Configuration-SecuredDevicesConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
<!-- Device-Configuration-SecuredDevicesConfiguration-Applicability-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/SecuredDevicesConfiguration
```
<!-- Device-Configuration-SecuredDevicesConfiguration-OmaUri-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Description-Begin -->
<!-- Description-Source-DDF -->
Defines what are the devices primary ids that should be secured by Defender Device Control. The primary id values should be pipe (|) separated. Example: RemovableMediaDevices|CdRomDevices. If this configuration is not set the default value will be applied, meaning all of the supported devices will be secured.
<!-- Device-Configuration-SecuredDevicesConfiguration-Description-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Editable-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-End -->
<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin --> <!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin -->
### Configuration/SecurityIntelligenceUpdatesChannel ### Configuration/SecurityIntelligenceUpdatesChannel

77
windows/client-management/mdm/defender-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/17/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1852,7 +1852,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.</Description> <Description>This policy setting controls whether or not exclusions are visible to local admins. To control local users exlcusions visibility use HideExclusionsFromLocalUsers. If HideExclusionsFromLocalAdmins is set then HideExclusionsFromLocalUsers will be implicitly set.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -1881,6 +1881,45 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>HideExclusionsFromLocalUsers</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This policy setting controls whether or not exclusions are visible to local users. If HideExclusionsFromLocalAdmins is set then this policy will be implicitly set.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>ThrottleForScheduledScanOnly</NodeName> <NodeName>ThrottleForScheduledScanOnly</NodeName>
<DFProperties> <DFProperties>
@ -2010,6 +2049,36 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>SecuredDevicesConfiguration</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Defines what are the devices primary ids that should be secured by Defender Device Control. The primary id values should be pipe (|) separated. Example: RemovableMediaDevices|CdRomDevices. If this configuration is not set the default value will be applied, meaning all of the supported devices will be secured.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>DataDuplicationLocalRetentionPeriod</NodeName> <NodeName>DataDuplicationLocalRetentionPeriod</NodeName>
<DFProperties> <DFProperties>
@ -2197,6 +2266,10 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Value>0</MSFT:Value> <MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.</MSFT:ValueDescription> <MSFT:ValueDescription>If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>If you configure this setting to enabled, Intel TDT integration will turn on.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>2</MSFT:Value> <MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>If you configure this setting to disabled, Intel TDT integration will turn off.</MSFT:ValueDescription> <MSFT:ValueDescription>If you configure this setting to disabled, Intel TDT integration will turn off.</MSFT:ValueDescription>

84
windows/client-management/mdm/devicepreparation-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -31,6 +31,8 @@ The following list shows the DevicePreparation configuration service provider no
- [ClassID](#bootstrapperagentclassid) - [ClassID](#bootstrapperagentclassid)
- [ExecutionContext](#bootstrapperagentexecutioncontext) - [ExecutionContext](#bootstrapperagentexecutioncontext)
- [InstallationStatusUri](#bootstrapperagentinstallationstatusuri) - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
- [MDMProvider](#mdmprovider)
- [Progress](#mdmproviderprogress)
- [PageEnabled](#pageenabled) - [PageEnabled](#pageenabled)
- [PageSettings](#pagesettings) - [PageSettings](#pagesettings)
- [PageStatus](#pagestatus) - [PageStatus](#pagestatus)
@ -192,6 +194,84 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age
<!-- Device-BootstrapperAgent-InstallationStatusUri-End --> <!-- Device-BootstrapperAgent-InstallationStatusUri-End -->
<!-- Device-MDMProvider-Begin -->
## MDMProvider
<!-- Device-MDMProvider-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-MDMProvider-Applicability-End -->
<!-- Device-MDMProvider-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MDMProvider
```
<!-- Device-MDMProvider-OmaUri-End -->
<!-- Device-MDMProvider-Description-Begin -->
<!-- Description-Source-DDF -->
The subnode configures the settings for the MDMProvider.
<!-- Device-MDMProvider-Description-End -->
<!-- Device-MDMProvider-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MDMProvider-Editable-End -->
<!-- Device-MDMProvider-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- Device-MDMProvider-DFProperties-End -->
<!-- Device-MDMProvider-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MDMProvider-Examples-End -->
<!-- Device-MDMProvider-End -->
<!-- Device-MDMProvider-Progress-Begin -->
### MDMProvider/Progress
<!-- Device-MDMProvider-Progress-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-MDMProvider-Progress-Applicability-End -->
<!-- Device-MDMProvider-Progress-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/MDMProvider/Progress
```
<!-- Device-MDMProvider-Progress-OmaUri-End -->
<!-- Device-MDMProvider-Progress-Description-Begin -->
<!-- Description-Source-DDF -->
Noode for reporting progress status as opaque data.
<!-- Device-MDMProvider-Progress-Description-End -->
<!-- Device-MDMProvider-Progress-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-MDMProvider-Progress-Editable-End -->
<!-- Device-MDMProvider-Progress-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Get, Replace |
<!-- Device-MDMProvider-Progress-DFProperties-End -->
<!-- Device-MDMProvider-Progress-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-MDMProvider-Progress-Examples-End -->
<!-- Device-MDMProvider-Progress-End -->
<!-- Device-PageEnabled-Begin --> <!-- Device-PageEnabled-Begin -->
## PageEnabled ## PageEnabled
@ -297,7 +377,7 @@ This node configures specific settings for the Device Preparation page.
<!-- Device-PageStatus-Description-Begin --> <!-- Device-PageStatus-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed. This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
<!-- Device-PageStatus-Description-End --> <!-- Device-PageStatus-Description-End -->
<!-- Device-PageStatus-Editable-Begin --> <!-- Device-PageStatus-Editable-Begin -->

47
windows/client-management/mdm/devicepreparation-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/17/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -89,7 +89,7 @@ The following XML file contains the device description framework (DDF) for the D
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = Succeeded; 4 = Failed.</Description> <Description>This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -243,6 +243,49 @@ The following XML file contains the device description framework (DDF) for the D
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
<Node>
<NodeName>MDMProvider</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The subnode configures the settings for the MDMProvider.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>Progress</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Noode for reporting progress status as opaque data.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node> </Node>
</MgmtTree> </MgmtTree>
``` ```

3
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -9,9 +9,6 @@ author: vinaypamnani-msft
ms.date: 06/26/2017 ms.date: 06/26/2017
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.collection:
- highpri
- tier2
--- ---
# DynamicManagement CSP # DynamicManagement CSP

1153
windows/client-management/mdm/firewall-csp.md
View File

File diff suppressed because it is too large Load Diff

819
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/27/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>true</DefaultValue> <DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description> <Description>This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description> <Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>1</DefaultValue> <DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description> <Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -2979,7 +2979,7 @@ The following XML file contains the device description framework (DDF) for the F
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>false</DefaultValue> <DefaultValue>false</DefaultValue>
<Description>This value is an on/off switch for loopback traffic. This determines if this VM type is able to send/receive loopback traffic.</Description> <Description>This value is an on/off switch for loopback traffic. This determines if this VM is able to send/receive loopback traffic to other VMs or the host.</Description>
<DFFormat> <DFFormat>
<bool /> <bool />
</DFFormat> </DFFormat>
@ -3004,6 +3004,606 @@ The following XML file contains the device description framework (DDF) for the F
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>AllowHostPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowHostPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowHostPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DomainProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultOutboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultInboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AllowLocalPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>PrivateProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultOutboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultInboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AllowLocalPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>PublicProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnableFirewall</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultOutboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Outbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>DefaultInboundAction</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allow Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block Inbound By Default</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AllowLocalPolicyMerge</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge Off</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AllowLocalPolicyMerge On</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="Enable Firewall">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enable Firewall</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
</Node> </Node>
</Node> </Node>
<Node> <Node>
@ -3231,7 +3831,8 @@ ServiceName</Description>
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="None"> <MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," /> <MSFT:List Delimiter="," />
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -3258,7 +3859,8 @@ ServiceName</Description>
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="None"> <MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," /> <MSFT:List Delimiter="," />
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -3396,7 +3998,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22000, 10.0.19044.1706, 10.0.19043.1706, 10.0.19042.1706</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
<MSFT:AllowedValues ValueType="RegEx"> <MSFT:AllowedValues ValueType="RegEx">
@ -4022,7 +4624,8 @@ An IPv6 address range in the format of "start address - end address" with no spa
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="None"> <MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," /> <MSFT:List Delimiter="," />
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -4081,7 +4684,8 @@ An IPv6 address range in the format of "start address - end address" with no spa
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="None"> <MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," /> <MSFT:List Delimiter="," />
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
@ -4197,16 +4801,15 @@ If not specified - a new rule is disabled by default.</Description>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
<NodeName>Name</NodeName> <NodeName>Profiles</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Add />
<Delete />
<Get /> <Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.</Description>
<DFFormat> <DFFormat>
<chr /> <int />
</DFFormat> </DFFormat>
<Occurrence> <Occurrence>
<One /> <One />
@ -4217,6 +4820,192 @@ If not specified - a new rule is disabled by default.</Description>
<DFType> <DFType>
<MIME /> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Flag">
<MSFT:Enum>
<MSFT:Value>0x1</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x2</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x4</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0x7FFFFFFF</MSFT:Value>
<MSFT:ValueDescription>FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>HyperVLoopbackRules</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>
</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>RuleName</DFTitle>
<DFType>
<DDFName />
</DFType>
<MSFT:DynamicNodeNaming>
<MSFT:ServerGeneratedUniqueIdentifier />
</MSFT:DynamicNodeNaming>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[^|/]*$</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:AtomicRequired />
</DFProperties>
<Node>
<NodeName>SourceVMCreatorId</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>DestinationVMCreatorId</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PortRanges</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^[0-9,-]+$</MSFT:Value>
<MSFT:List Delimiter="," />
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -4240,7 +5029,7 @@ If not specified - a new rule is disabled by default.</Description>
<DDFName /> <DDFName />
</DFType> </DFType>
<MSFT:Applicability> <MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion> <MSFT:OsBuildVersion>10.0.22000, 10.0.19044.1706, 10.0.19043.1706, 10.0.19042.1706</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion> <MSFT:CspVersion>1.0</MSFT:CspVersion>
</MSFT:Applicability> </MSFT:Applicability>
</DFProperties> </DFProperties>

4
windows/client-management/mdm/laps-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 03/27/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -746,7 +746,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. | | 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. | | 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. | | 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
<!-- Device-Policies-PostAuthenticationActions-AllowedValues-End --> <!-- Device-Policies-PostAuthenticationActions-AllowedValues-End -->

59
windows/client-management/mdm/passportforwork-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- PassportForWork-Begin --> <!-- PassportForWork-Begin -->
# PassportForWork CSP # PassportForWork CSP
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- PassportForWork-Editable-Begin --> <!-- PassportForWork-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
@ -30,6 +33,7 @@ The following list shows the PassportForWork configuration service provider node
- ./Device/Vendor/MSFT/PassportForWork - ./Device/Vendor/MSFT/PassportForWork
- [{TenantId}](#devicetenantid) - [{TenantId}](#devicetenantid)
- [Policies](#devicetenantidpolicies) - [Policies](#devicetenantidpolicies)
- [DisablePostLogonProvisioning](#devicetenantidpoliciesdisablepostlogonprovisioning)
- [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery) - [EnablePinRecovery](#devicetenantidpoliciesenablepinrecovery)
- [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices) - [ExcludeSecurityDevices](#devicetenantidpoliciesexcludesecuritydevices)
- [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12) - [TPM12](#devicetenantidpoliciesexcludesecuritydevicestpm12)
@ -160,6 +164,55 @@ Root node for policies.
<!-- Device-{TenantId}-Policies-End --> <!-- Device-{TenantId}-Policies-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Begin -->
#### Device/{TenantId}/Policies/DisablePostLogonProvisioning
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Applicability-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/DisablePostLogonProvisioning
```
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-OmaUri-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Description-Begin -->
<!-- Description-Source-DDF -->
Do not start Windows Hello provisioning after sign-in.
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Description-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Editable-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-DFProperties-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | Disabled. |
| true | Enabled. |
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-AllowedValues-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Examples-End -->
<!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-End -->
<!-- Device-{TenantId}-Policies-EnablePinRecovery-Begin --> <!-- Device-{TenantId}-Policies-EnablePinRecovery-Begin -->
#### Device/{TenantId}/Policies/EnablePinRecovery #### Device/{TenantId}/Policies/EnablePinRecovery
@ -1187,8 +1240,8 @@ Enhanced Sign-in Security (ESS) isolates both biometric template data and matchi
| Value | Description | | Value | Description |
|:--|:--| |:--|:--|
| 0 | Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended). | | 0 | ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. In addition, with this setting, ESS will be enabled on devices with a mixture of biometric devices, such as an ESS capable FPR and a non-ESS capable camera. (not recommended). |
| 1 (Default) | Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security). | | 1 (Default) | ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. (default and recommended for highest security). |
<!-- Device-Biometrics-EnableESSwithSupportedPeripherals-AllowedValues-End --> <!-- Device-Biometrics-EnableESSwithSupportedPeripherals-AllowedValues-End -->
<!-- Device-Biometrics-EnableESSwithSupportedPeripherals-GpMapping-Begin --> <!-- Device-Biometrics-EnableESSwithSupportedPeripherals-GpMapping-Begin -->

45
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/24/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -814,6 +814,45 @@ If you disable or do not configure this policy setting, the PIN recovery secret
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>DisablePostLogonProvisioning</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Do not start Windows Hello provisioning after sign-in.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>UseCertificateForOnPremAuth</NodeName> <NodeName>UseCertificateForOnPremAuth</NodeName>
<DFProperties> <DFProperties>
@ -1507,11 +1546,11 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<MSFT:AllowedValues ValueType="ENUM"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>0</MSFT:Value> <MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended)</MSFT:ValueDescription> <MSFT:ValueDescription>ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. In addition, with this setting, ESS will be enabled on devices with a mixture of biometric devices, such as an ESS capable FPR and a non-ESS capable camera. (not recommended)</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
<MSFT:Enum> <MSFT:Enum>
<MSFT:Value>1</MSFT:Value> <MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security)</MSFT:ValueDescription> <MSFT:ValueDescription>ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. (default and recommended for highest security)</MSFT:ValueDescription>
</MSFT:Enum> </MSFT:Enum>
</MSFT:AllowedValues> </MSFT:AllowedValues>
<MSFT:GpMapping GpEnglishName="Enable ESS with Supported Peripherals" GpAreaPath="Passport~AT~WindowsComponents~MSPassportForWorkCategory" /> <MSFT:GpMapping GpEnglishName="Enable ESS with Supported Peripherals" GpAreaPath="Passport~AT~WindowsComponents~MSPassportForWorkCategory" />

279
windows/client-management/mdm/personaldataencryption-csp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the PDE CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/28/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -26,7 +26,13 @@ The following list shows the PDE configuration service provider nodes:
- ./User/Vendor/MSFT/PDE - ./User/Vendor/MSFT/PDE
- [EnablePersonalDataEncryption](#enablepersonaldataencryption) - [EnablePersonalDataEncryption](#enablepersonaldataencryption)
- [ProtectFolders](#protectfolders)
- [ProtectDesktop](#protectfoldersprotectdesktop)
- [ProtectDocuments](#protectfoldersprotectdocuments)
- [ProtectPictures](#protectfoldersprotectpictures)
- [Status](#status) - [Status](#status)
- [FolderProtectionStatus](#statusfolderprotectionstatus)
- [FoldersProtected](#statusfoldersprotected)
- [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus) - [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
<!-- PDE-Tree-End --> <!-- PDE-Tree-End -->
@ -79,6 +85,188 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
<!-- User-EnablePersonalDataEncryption-End --> <!-- User-EnablePersonalDataEncryption-End -->
<!-- User-ProtectFolders-Begin -->
## ProtectFolders
<!-- User-ProtectFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-Applicability-End -->
<!-- User-ProtectFolders-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders
```
<!-- User-ProtectFolders-OmaUri-End -->
<!-- User-ProtectFolders-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- User-ProtectFolders-Description-End -->
<!-- User-ProtectFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-Editable-End -->
<!-- User-ProtectFolders-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | node |
| Access Type | Get |
<!-- User-ProtectFolders-DFProperties-End -->
<!-- User-ProtectFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-Examples-End -->
<!-- User-ProtectFolders-End -->
<!-- User-ProtectFolders-ProtectDesktop-Begin -->
### ProtectFolders/ProtectDesktop
<!-- User-ProtectFolders-ProtectDesktop-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-ProtectDesktop-Applicability-End -->
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
```
<!-- User-ProtectFolders-ProtectDesktop-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDesktop-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDesktop-Description-End -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Editable-End -->
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
<!-- User-ProtectFolders-ProtectDesktop-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. |
| 1 | Enable PDE on the folder. |
<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDesktop-Examples-End -->
<!-- User-ProtectFolders-ProtectDesktop-End -->
<!-- User-ProtectFolders-ProtectDocuments-Begin -->
### ProtectFolders/ProtectDocuments
<!-- User-ProtectFolders-ProtectDocuments-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-ProtectDocuments-Applicability-End -->
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
```
<!-- User-ProtectFolders-ProtectDocuments-OmaUri-End -->
<!-- User-ProtectFolders-ProtectDocuments-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectDocuments-Description-End -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Editable-End -->
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
<!-- User-ProtectFolders-ProtectDocuments-DFProperties-End -->
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. |
| 1 | Enable PDE on the folder. |
<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectDocuments-Examples-End -->
<!-- User-ProtectFolders-ProtectDocuments-End -->
<!-- User-ProtectFolders-ProtectPictures-Begin -->
### ProtectFolders/ProtectPictures
<!-- User-ProtectFolders-ProtectPictures-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-ProtectFolders-ProtectPictures-Applicability-End -->
<!-- User-ProtectFolders-ProtectPictures-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
```
<!-- User-ProtectFolders-ProtectPictures-OmaUri-End -->
<!-- User-ProtectFolders-ProtectPictures-Description-Begin -->
<!-- Description-Source-DDF -->
Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.
<!-- User-ProtectFolders-ProtectPictures-Description-End -->
<!-- User-ProtectFolders-ProtectPictures-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Editable-End -->
<!-- User-ProtectFolders-ProtectPictures-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
<!-- User-ProtectFolders-ProtectPictures-DFProperties-End -->
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. |
| 1 | Enable PDE on the folder. |
<!-- User-ProtectFolders-ProtectPictures-AllowedValues-End -->
<!-- User-ProtectFolders-ProtectPictures-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-ProtectFolders-ProtectPictures-Examples-End -->
<!-- User-ProtectFolders-ProtectPictures-End -->
<!-- User-Status-Begin --> <!-- User-Status-Begin -->
## Status ## Status
@ -121,6 +309,95 @@ Reports the current status of Personal Data Encryption (PDE) for the user.
<!-- User-Status-End --> <!-- User-Status-End -->
<!-- User-Status-FolderProtectionStatus-Begin -->
### Status/FolderProtectionStatus
<!-- User-Status-FolderProtectionStatus-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-Status-FolderProtectionStatus-Applicability-End -->
<!-- User-Status-FolderProtectionStatus-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
```
<!-- User-Status-FolderProtectionStatus-OmaUri-End -->
<!-- User-Status-FolderProtectionStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports folder protection status for a user.
<!-- User-Status-FolderProtectionStatus-Description-End -->
<!-- User-Status-FolderProtectionStatus-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Editable-End -->
<!-- User-Status-FolderProtectionStatus-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Get |
<!-- User-Status-FolderProtectionStatus-DFProperties-End -->
<!-- User-Status-FolderProtectionStatus-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Protection not started. |
| 1 | Protection is completed with no failures. |
| 2 | Protection in progress. |
| 3 | Protection failed. |
<!-- User-Status-FolderProtectionStatus-AllowedValues-End -->
<!-- User-Status-FolderProtectionStatus-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FolderProtectionStatus-Examples-End -->
<!-- User-Status-FolderProtectionStatus-End -->
<!-- User-Status-FoldersProtected-Begin -->
### Status/FoldersProtected
<!-- User-Status-FoldersProtected-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-Status-FoldersProtected-Applicability-End -->
<!-- User-Status-FoldersProtected-OmaUri-Begin -->
```User
./User/Vendor/MSFT/PDE/Status/FoldersProtected
```
<!-- User-Status-FoldersProtected-OmaUri-End -->
<!-- User-Status-FoldersProtected-Description-Begin -->
<!-- Description-Source-DDF -->
This node reports all folders (full path to each folder) that have been protected.
<!-- User-Status-FoldersProtected-Description-End -->
<!-- User-Status-FoldersProtected-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Editable-End -->
<!-- User-Status-FoldersProtected-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Get |
<!-- User-Status-FoldersProtected-DFProperties-End -->
<!-- User-Status-FoldersProtected-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- User-Status-FoldersProtected-Examples-End -->
<!-- User-Status-FoldersProtected-End -->
<!-- User-Status-PersonalDataEncryptionStatus-Begin --> <!-- User-Status-PersonalDataEncryptionStatus-Begin -->
### Status/PersonalDataEncryptionStatus ### Status/PersonalDataEncryptionStatus

184
windows/client-management/mdm/personaldataencryption-ddf-file.md
View File

@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/17/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -83,6 +83,128 @@ The following XML file contains the device description framework (DDF) for the P
</MSFT:AllowedValues> </MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>ProtectFolders</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>ProtectDocuments</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectDesktop</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ProtectPictures</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
<Node> <Node>
<NodeName>Status</NodeName> <NodeName>Status</NodeName>
<DFProperties> <DFProperties>
@ -123,6 +245,66 @@ The following XML file contains the device description framework (DDF) for the P
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>FolderProtectionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports folder protection status for a user. </Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Protection not started.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Protection is completed with no failures.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Protection in progress.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Protection failed.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>FoldersProtected</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports all folders (full path to each folder) that have been protected.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node> </Node>
</Node> </Node>
</MgmtTree> </MgmtTree>

4
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/18/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -2303,7 +2303,9 @@ This article lists the ADMX-backed policies in Policy CSP.
- [EnableSettings](policy-csp-desktopappinstaller.md) - [EnableSettings](policy-csp-desktopappinstaller.md)
- [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md) - [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md)
- [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md) - [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md)
- [EnableBypassCertificatePinningForMicrosoftStore](policy-csp-desktopappinstaller.md)
- [EnableHashOverride](policy-csp-desktopappinstaller.md) - [EnableHashOverride](policy-csp-desktopappinstaller.md)
- [EnableLocalArchiveMalwareScanOverride](policy-csp-desktopappinstaller.md)
- [EnableDefaultSource](policy-csp-desktopappinstaller.md) - [EnableDefaultSource](policy-csp-desktopappinstaller.md)
- [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md) - [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md)
- [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md) - [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md)

18
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/03/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -340,6 +340,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ClearTextPassword](policy-csp-devicelock.md) - [ClearTextPassword](policy-csp-devicelock.md)
- [PasswordComplexity](policy-csp-devicelock.md) - [PasswordComplexity](policy-csp-devicelock.md)
- [PasswordHistorySize](policy-csp-devicelock.md) - [PasswordHistorySize](policy-csp-devicelock.md)
- [AccountLockoutThreshold](policy-csp-devicelock.md)
- [AccountLockoutDuration](policy-csp-devicelock.md)
- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md)
- [AllowAdministratorLockout](policy-csp-devicelock.md)
## Display ## Display
@ -400,6 +404,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [ForceInstantLock](policy-csp-humanpresence.md) - [ForceInstantLock](policy-csp-humanpresence.md)
- [ForceLockTimeout](policy-csp-humanpresence.md) - [ForceLockTimeout](policy-csp-humanpresence.md)
- [ForceInstantDim](policy-csp-humanpresence.md) - [ForceInstantDim](policy-csp-humanpresence.md)
- [ForceDisableWakeWhenBatterySaverOn](policy-csp-humanpresence.md)
- [ForceAllowWakeWhenExternalDisplayConnected](policy-csp-humanpresence.md)
- [ForceAllowLockWhenExternalDisplayConnected](policy-csp-humanpresence.md)
- [ForceAllowDimWhenExternalDisplayConnected](policy-csp-humanpresence.md)
## Kerberos ## Kerberos
@ -511,6 +519,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [DisallowNotificationMirroring](policy-csp-notifications.md) - [DisallowNotificationMirroring](policy-csp-notifications.md)
- [DisallowTileNotification](policy-csp-notifications.md) - [DisallowTileNotification](policy-csp-notifications.md)
- [EnableExpandedToastNotifications](policy-csp-notifications.md)
- [DisallowCloudNotification](policy-csp-notifications.md) - [DisallowCloudNotification](policy-csp-notifications.md)
- [WnsEndpoint](policy-csp-notifications.md) - [WnsEndpoint](policy-csp-notifications.md)
@ -574,6 +583,10 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md) - [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md)
- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md) - [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md)
- [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md) - [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence_ForceAllowTheseApps](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence_ForceDenyTheseApps](policy-csp-privacy.md)
- [LetAppsAccessHumanPresence_UserInControlOfTheseApps](policy-csp-privacy.md)
- [LetAppsAccessLocation](policy-csp-privacy.md) - [LetAppsAccessLocation](policy-csp-privacy.md)
- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md) - [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md)
- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md) - [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md)
@ -676,6 +689,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [StartLayout](policy-csp-start.md) - [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md)
- [HideRecoPersonalizedSites](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md)
- [DisableControlCenter](policy-csp-start.md) - [DisableControlCenter](policy-csp-start.md)
- [ForceStartSize](policy-csp-start.md) - [ForceStartSize](policy-csp-start.md)
@ -686,6 +700,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [StartLayout](policy-csp-start.md) - [StartLayout](policy-csp-start.md)
- [ConfigureStartPins](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md)
- [HideRecommendedSection](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md)
- [HideRecoPersonalizedSites](policy-csp-start.md)
- [SimplifyQuickSettings](policy-csp-start.md) - [SimplifyQuickSettings](policy-csp-start.md)
- [DisableEditingQuickSettings](policy-csp-start.md) - [DisableEditingQuickSettings](policy-csp-start.md)
- [HideTaskViewButton](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md)
@ -869,6 +884,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [DenyLogOnAsBatchJob](policy-csp-userrights.md) - [DenyLogOnAsBatchJob](policy-csp-userrights.md)
- [LogOnAsService](policy-csp-userrights.md) - [LogOnAsService](policy-csp-userrights.md)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md) - [IncreaseProcessWorkingSet](policy-csp-userrights.md)
- [DenyServiceLogonRight](policy-csp-userrights.md)
## VirtualizationBasedTechnology ## VirtualizationBasedTechnology

457
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -1,99 +1,378 @@
--- ---
title: Policies in Policy CSP supported by Microsoft Surface Hub title: Policies in Policy CSP supported by Windows 10 Team
description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub. description: Learn about the policies in Policy CSP supported by Windows 10 Team.
ms.reviewer: author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 03/28/2023
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 07/22/2020
--- ---
# Policies in Policy CSP supported by Microsoft Surface Hub <!-- Auto-Generated CSP Document -->
- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#allowappstoreautoupdate) # Policies in Policy CSP supported by Windows 10 Team
- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#allowdeveloperunlock)
- [Accounts/AllowMicrosoftAccountConnection](./policy-csp-accounts.md#allowmicrosoftaccountconnection)
- [Camera/AllowCamera](policy-csp-camera.md#allowcamera)
- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
- [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring)
- [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection)
- [Defender/AllowEmailScanning](policy-csp-defender.md#allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](policy-csp-defender.md#allowioavprotection)
- [Defender/AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
- [Defender/AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess)
- [Defender/AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](policy-csp-defender.md#excludedextensions)
- [Defender/ExcludedPaths](policy-csp-defender.md#excludedpaths)
- [Defender/ExcludedProcesses](policy-csp-defender.md#excludedprocesses)
- [Defender/PUAProtection](policy-csp-defender.md#puaprotection)
- [Defender/RealTimeScanDirection](policy-csp-defender.md#realtimescandirection)
- [Defender/ScanParameter](policy-csp-defender.md#scanparameter)
- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime)
- [Defender/ScheduleScanDay](policy-csp-defender.md#schedulescanday)
- [Defender/ScheduleScanTime](policy-csp-defender.md#schedulescantime)
- [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval)
- [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode)
- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#dogroupid)
- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated)
- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#configuregroupmembership)
- [System/AllowLocation](policy-csp-system.md#allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#allowinputpanel)
- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#allowjapaneseimesurrogatepaircharacters)
- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#allowjapaneseivscharacters)
- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#allowjapanesenonpublishingstandardglyph)
- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#allowjapaneseuserdictionary)
- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#allowlanguagefeaturesuninstall)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#configuretimezone)
- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi)
- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md) (Deprecated)
- [Wifi/WLANScanMode](policy-csp-wifi.md#wlanscanmode)
- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect)
- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement)
- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#allowmdnsdiscovery)
- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#allowprojectionfrompc)
- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectionfrompcoverinfrastructure)
- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#allowprojectiontopc)
- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectiontopcoverinfrastructure)
- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#allowuserinputfromwirelessdisplayreceiver)
- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#requirepinforpairing)
## Related topics This article lists the policies in Policy CSP that are applicable for the Surface Hub operating system, **Windows 10 Team**.
[Policy CSP](policy-configuration-service-provider.md) ## ApplicationDefaults
- [DefaultAssociationsConfiguration](policy-csp-applicationdefaults.md#defaultassociationsconfiguration)
## ApplicationManagement
- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate)
- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock)
## Bluetooth
- [AllowAdvertising](policy-csp-bluetooth.md#allowadvertising)
- [AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode)
- [AllowPrepairing](policy-csp-bluetooth.md#allowprepairing)
- [AllowPromptedProximalConnections](policy-csp-bluetooth.md#allowpromptedproximalconnections)
- [LocalDeviceName](policy-csp-bluetooth.md#localdevicename)
- [ServicesAllowedList](policy-csp-bluetooth.md#servicesallowedlist)
- [SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#setminimumencryptionkeysize)
## Browser
- [AllowAddressBarDropdown](policy-csp-browser.md#allowaddressbardropdown)
- [AllowAutofill](policy-csp-browser.md#allowautofill)
- [AllowBrowser](policy-csp-browser.md#allowbrowser)
- [AllowCookies](policy-csp-browser.md#allowcookies)
- [AllowDeveloperTools](policy-csp-browser.md#allowdevelopertools)
- [AllowDoNotTrack](policy-csp-browser.md#allowdonottrack)
- [AllowFlashClickToRun](policy-csp-browser.md#allowflashclicktorun)
- [AllowMicrosoftCompatibilityList](policy-csp-browser.md#allowmicrosoftcompatibilitylist)
- [AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager)
- [AllowPopups](policy-csp-browser.md#allowpopups)
- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar)
- [AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
- [ClearBrowsingDataOnExit](policy-csp-browser.md#clearbrowsingdataonexit)
- [ConfigureAdditionalSearchEngines](policy-csp-browser.md#configureadditionalsearchengines)
- [DisableLockdownOfStartPages](policy-csp-browser.md#disablelockdownofstartpages)
- [EnterpriseModeSiteList](policy-csp-browser.md#enterprisemodesitelist)
- [HomePages](policy-csp-browser.md#homepages)
- [PreventLiveTileDataCollection](policy-csp-browser.md#preventlivetiledatacollection)
- [PreventSmartScreenPromptOverride](policy-csp-browser.md#preventsmartscreenpromptoverride)
- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md#preventsmartscreenpromptoverrideforfiles)
- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md#preventusinglocalhostipaddressforwebrtc)
- [SetDefaultSearchEngine](policy-csp-browser.md#setdefaultsearchengine)
## Camera
- [AllowCamera](policy-csp-camera.md#allowcamera)
## Connectivity
- [AllowBluetooth](policy-csp-connectivity.md#allowbluetooth)
- [AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices)
## Cryptography
- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy)
- [TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites)
## Defender
- [AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning)
- [AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring)
- [AllowCloudProtection](policy-csp-defender.md#allowcloudprotection)
- [AllowEmailScanning](policy-csp-defender.md#allowemailscanning)
- [AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives)
- [AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning)
- [AllowIntrusionPreventionSystem](policy-csp-defender.md#allowintrusionpreventionsystem)
- [AllowIOAVProtection](policy-csp-defender.md#allowioavprotection)
- [AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection)
- [AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
- [AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
- [AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md#attacksurfacereductiononlyexclusions)
- [AttackSurfaceReductionRules](policy-csp-defender.md#attacksurfacereductionrules)
- [AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
- [CheckForSignaturesBeforeRunningScan](policy-csp-defender.md#checkforsignaturesbeforerunningscan)
- [CloudBlockLevel](policy-csp-defender.md#cloudblocklevel)
- [CloudExtendedTimeout](policy-csp-defender.md#cloudextendedtimeout)
- [ControlledFolderAccessAllowedApplications](policy-csp-defender.md#controlledfolderaccessallowedapplications)
- [ControlledFolderAccessProtectedFolders](policy-csp-defender.md#controlledfolderaccessprotectedfolders)
- [DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware)
- [DisableCatchupFullScan](policy-csp-defender.md#disablecatchupfullscan)
- [DisableCatchupQuickScan](policy-csp-defender.md#disablecatchupquickscan)
- [EnableControlledFolderAccess](policy-csp-defender.md#enablecontrolledfolderaccess)
- [EnableLowCPUPriority](policy-csp-defender.md#enablelowcpupriority)
- [EnableNetworkProtection](policy-csp-defender.md#enablenetworkprotection)
- [ExcludedExtensions](policy-csp-defender.md#excludedextensions)
- [ExcludedPaths](policy-csp-defender.md#excludedpaths)
- [ExcludedProcesses](policy-csp-defender.md#excludedprocesses)
- [PUAProtection](policy-csp-defender.md#puaprotection)
- [RealTimeScanDirection](policy-csp-defender.md#realtimescandirection)
- [ScanParameter](policy-csp-defender.md#scanparameter)
- [ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime)
- [ScheduleScanDay](policy-csp-defender.md#schedulescanday)
- [ScheduleScanTime](policy-csp-defender.md#schedulescantime)
- [SecurityIntelligenceLocation](policy-csp-defender.md#securityintelligencelocation)
- [SignatureUpdateFallbackOrder](policy-csp-defender.md#signatureupdatefallbackorder)
- [SignatureUpdateFileSharesSources](policy-csp-defender.md#signatureupdatefilesharessources)
- [SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval)
- [SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent)
- [ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction)
## DeliveryOptimization
- [DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize)
- [DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching)
- [DOCacheHost](policy-csp-deliveryoptimization.md#docachehost)
- [DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource)
- [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelaybackgrounddownloadfromhttp)
- [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackbackground)
- [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackforeground)
- [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelayforegrounddownloadfromhttp)
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode)
- [DOGroupId](policy-csp-deliveryoptimization.md#dogroupid)
- [DOGroupIdSource](policy-csp-deliveryoptimization.md#dogroupidsource)
- [DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth)
- [DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage)
- [DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize)
- [DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth)
- [DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos)
- [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#dominbatterypercentageallowedtoupload)
- [DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer)
- [DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache)
- [DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer)
- [DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive)
- [DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap)
- [DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth)
- [DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth)
- [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#dorestrictpeerselectionby)
- [DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth)
- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## ExploitGuard
- [ExploitProtectionSettings](policy-csp-exploitguard.md#exploitprotectionsettings)
## LocalUsersAndGroups
- [Configure](policy-csp-localusersandgroups.md#configure)
## NetworkIsolation
- [EnterpriseCloudResources](policy-csp-networkisolation.md#enterprisecloudresources)
- [EnterpriseInternalProxyServers](policy-csp-networkisolation.md#enterpriseinternalproxyservers)
- [EnterpriseIPRange](policy-csp-networkisolation.md#enterpriseiprange)
- [EnterpriseIPRangesAreAuthoritative](policy-csp-networkisolation.md#enterpriseiprangesareauthoritative)
- [EnterpriseNetworkDomainNames](policy-csp-networkisolation.md#enterprisenetworkdomainnames)
- [EnterpriseProxyServers](policy-csp-networkisolation.md#enterpriseproxyservers)
- [EnterpriseProxyServersAreAuthoritative](policy-csp-networkisolation.md#enterpriseproxyserversareauthoritative)
- [NeutralResources](policy-csp-networkisolation.md#neutralresources)
## Privacy
- [AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization)
- [DisableAdvertisingId](policy-csp-privacy.md#disableadvertisingid)
- [LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo)
- [LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps)
- [LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps)
- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_userincontroloftheseapps)
- [LetAppsAccessCalendar](policy-csp-privacy.md#letappsaccesscalendar)
- [LetAppsAccessCalendar_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscalendar_forceallowtheseapps)
- [LetAppsAccessCalendar_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscalendar_forcedenytheseapps)
- [LetAppsAccessCalendar_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscalendar_userincontroloftheseapps)
- [LetAppsAccessCallHistory](policy-csp-privacy.md#letappsaccesscallhistory)
- [LetAppsAccessCallHistory_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscallhistory_forceallowtheseapps)
- [LetAppsAccessCallHistory_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscallhistory_forcedenytheseapps)
- [LetAppsAccessCallHistory_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscallhistory_userincontroloftheseapps)
- [LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera)
- [LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera_forceallowtheseapps)
- [LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera_forcedenytheseapps)
- [LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera_userincontroloftheseapps)
- [LetAppsAccessContacts](policy-csp-privacy.md#letappsaccesscontacts)
- [LetAppsAccessContacts_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscontacts_forceallowtheseapps)
- [LetAppsAccessContacts_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscontacts_forcedenytheseapps)
- [LetAppsAccessContacts_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscontacts_userincontroloftheseapps)
- [LetAppsAccessEmail](policy-csp-privacy.md#letappsaccessemail)
- [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessemail_forceallowtheseapps)
- [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessemail_forcedenytheseapps)
- [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessemail_userincontroloftheseapps)
- [LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation)
- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesslocation_forceallowtheseapps)
- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesslocation_forcedenytheseapps)
- [LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesslocation_userincontroloftheseapps)
- [LetAppsAccessMessaging](policy-csp-privacy.md#letappsaccessmessaging)
- [LetAppsAccessMessaging_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmessaging_forceallowtheseapps)
- [LetAppsAccessMessaging_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmessaging_forcedenytheseapps)
- [LetAppsAccessMessaging_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmessaging_userincontroloftheseapps)
- [LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone)
- [LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps)
- [LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps)
- [LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_userincontroloftheseapps)
- [LetAppsAccessNotifications](policy-csp-privacy.md#letappsaccessnotifications)
- [LetAppsAccessNotifications_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessnotifications_forceallowtheseapps)
- [LetAppsAccessNotifications_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessnotifications_forcedenytheseapps)
- [LetAppsAccessNotifications_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessnotifications_userincontroloftheseapps)
- [LetAppsAccessPhone](policy-csp-privacy.md#letappsaccessphone)
- [LetAppsAccessPhone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessphone_forceallowtheseapps)
- [LetAppsAccessPhone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessphone_forcedenytheseapps)
- [LetAppsAccessPhone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessphone_userincontroloftheseapps)
- [LetAppsAccessRadios](policy-csp-privacy.md#letappsaccessradios)
- [LetAppsAccessRadios_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessradios_forceallowtheseapps)
- [LetAppsAccessRadios_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessradios_forcedenytheseapps)
- [LetAppsAccessRadios_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessradios_userincontroloftheseapps)
- [LetAppsAccessTasks](policy-csp-privacy.md#letappsaccesstasks)
- [LetAppsAccessTasks_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesstasks_forceallowtheseapps)
- [LetAppsAccessTasks_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesstasks_forcedenytheseapps)
- [LetAppsAccessTasks_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesstasks_userincontroloftheseapps)
- [LetAppsAccessTrustedDevices](policy-csp-privacy.md#letappsaccesstrusteddevices)
- [LetAppsAccessTrustedDevices_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesstrusteddevices_forceallowtheseapps)
- [LetAppsAccessTrustedDevices_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesstrusteddevices_forcedenytheseapps)
- [LetAppsAccessTrustedDevices_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesstrusteddevices_userincontroloftheseapps)
- [LetAppsActivateWithVoice](policy-csp-privacy.md#letappsactivatewithvoice)
- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#letappsactivatewithvoiceabovelock)
- [LetAppsGetDiagnosticInfo](policy-csp-privacy.md#letappsgetdiagnosticinfo)
- [LetAppsGetDiagnosticInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsgetdiagnosticinfo_forceallowtheseapps)
- [LetAppsGetDiagnosticInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsgetdiagnosticinfo_forcedenytheseapps)
- [LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsgetdiagnosticinfo_userincontroloftheseapps)
- [LetAppsRunInBackground](policy-csp-privacy.md#letappsruninbackground)
- [LetAppsRunInBackground_ForceAllowTheseApps](policy-csp-privacy.md#letappsruninbackground_forceallowtheseapps)
- [LetAppsRunInBackground_ForceDenyTheseApps](policy-csp-privacy.md#letappsruninbackground_forcedenytheseapps)
- [LetAppsRunInBackground_UserInControlOfTheseApps](policy-csp-privacy.md#letappsruninbackground_userincontroloftheseapps)
- [LetAppsSyncWithDevices](policy-csp-privacy.md#letappssyncwithdevices)
- [LetAppsSyncWithDevices_ForceAllowTheseApps](policy-csp-privacy.md#letappssyncwithdevices_forceallowtheseapps)
- [LetAppsSyncWithDevices_ForceDenyTheseApps](policy-csp-privacy.md#letappssyncwithdevices_forcedenytheseapps)
- [LetAppsSyncWithDevices_UserInControlOfTheseApps](policy-csp-privacy.md#letappssyncwithdevices_userincontroloftheseapps)
## RestrictedGroups
- [ConfigureGroupMembership](policy-csp-restrictedgroups.md#configuregroupmembership)
## Security
- [RecoveryEnvironmentAuthentication](policy-csp-security.md#recoveryenvironmentauthentication)
- [RequireProvisioningPackageSignature](policy-csp-security.md#requireprovisioningpackagesignature)
- [RequireRetrieveHealthCertificateOnBoot](policy-csp-security.md#requireretrievehealthcertificateonboot)
## Start
- [StartLayout](policy-csp-start.md#startlayout)
## System
- [AllowBuildPreview](policy-csp-system.md#allowbuildpreview)
- [AllowExperimentation](policy-csp-system.md#allowexperimentation)
- [AllowFontProviders](policy-csp-system.md#allowfontproviders)
- [AllowLocation](policy-csp-system.md#allowlocation)
- [AllowStorageCard](policy-csp-system.md#allowstoragecard)
- [AllowTelemetry](policy-csp-system.md#allowtelemetry)
## TextInput
- [AllowHardwareKeyboardTextSuggestions](policy-csp-textinput.md#allowhardwarekeyboardtextsuggestions)
- [AllowIMELogging](policy-csp-textinput.md#allowimelogging)
- [AllowIMENetworkAccess](policy-csp-textinput.md#allowimenetworkaccess)
- [AllowInputPanel](policy-csp-textinput.md#allowinputpanel)
- [AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#allowjapaneseimesurrogatepaircharacters)
- [AllowJapaneseIVSCharacters](policy-csp-textinput.md#allowjapaneseivscharacters)
- [AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#allowjapanesenonpublishingstandardglyph)
- [AllowJapaneseUserDictionary](policy-csp-textinput.md#allowjapaneseuserdictionary)
- [AllowKeyboardTextSuggestions](policy-csp-textinput.md#allowkeyboardtextsuggestions)
- [AllowLanguageFeaturesUninstall](policy-csp-textinput.md#allowlanguagefeaturesuninstall)
- [AllowLinguisticDataCollection](policy-csp-textinput.md#allowlinguisticdatacollection)
- [AllowTextInputSuggestionUpdate](policy-csp-textinput.md#allowtextinputsuggestionupdate)
- [ConfigureJapaneseIMEVersion](policy-csp-textinput.md#configurejapaneseimeversion)
- [ConfigureKoreanIMEVersion](policy-csp-textinput.md#configurekoreanimeversion)
- [ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#configuresimplifiedchineseimeversion)
- [ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#configuretraditionalchineseimeversion)
- [EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode)
- [ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#excludejapaneseimeexceptjis0208)
- [ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc)
- [ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis)
- [ForceTouchKeyboardDockedState](policy-csp-textinput.md#forcetouchkeyboarddockedstate)
- [TouchKeyboardDictationButtonAvailability](policy-csp-textinput.md#touchkeyboarddictationbuttonavailability)
- [TouchKeyboardEmojiButtonAvailability](policy-csp-textinput.md#touchkeyboardemojibuttonavailability)
- [TouchKeyboardFullModeAvailability](policy-csp-textinput.md#touchkeyboardfullmodeavailability)
- [TouchKeyboardHandwritingModeAvailability](policy-csp-textinput.md#touchkeyboardhandwritingmodeavailability)
- [TouchKeyboardNarrowModeAvailability](policy-csp-textinput.md#touchkeyboardnarrowmodeavailability)
- [TouchKeyboardSplitModeAvailability](policy-csp-textinput.md#touchkeyboardsplitmodeavailability)
- [TouchKeyboardWideModeAvailability](policy-csp-textinput.md#touchkeyboardwidemodeavailability)
## TimeLanguageSettings
- [ConfigureTimeZone](policy-csp-timelanguagesettings.md#configuretimezone)
## Update
- [ActiveHoursEnd](policy-csp-update.md#activehoursend)
- [ActiveHoursMaxRange](policy-csp-update.md#activehoursmaxrange)
- [ActiveHoursStart](policy-csp-update.md#activehoursstart)
- [AllowAutoUpdate](policy-csp-update.md#allowautoupdate)
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md#allowautowindowsupdatedownloadovermeterednetwork)
- [AllowMUUpdateService](policy-csp-update.md#allowmuupdateservice)
- [AllowNonMicrosoftSignedUpdate](policy-csp-update.md#allownonmicrosoftsignedupdate)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md#allowtemporaryenterprisefeaturecontrol)
- [AllowUpdateService](policy-csp-update.md#allowupdateservice)
- [BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel)
- [ConfigureFeatureUpdateUninstallPeriod](policy-csp-update.md#configurefeatureupdateuninstallperiod)
- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays)
- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays)
- [DeferUpdatePeriod](policy-csp-update.md#deferupdateperiod)
- [DeferUpgradePeriod](policy-csp-update.md#deferupgradeperiod)
- [DetectionFrequency](policy-csp-update.md#detectionfrequency)
- [DisableDualScan](policy-csp-update.md#disabledualscan)
- [DisableWUfBSafeguards](policy-csp-update.md#disablewufbsafeguards)
- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md#donotenforceenterprisetlscertpinningforupdatedetection)
- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md#excludewudriversinqualityupdate)
- [FillEmptyContentUrls](policy-csp-update.md#fillemptycontenturls)
- [IgnoreMOAppDownloadLimit](policy-csp-update.md#ignoremoappdownloadlimit)
- [IgnoreMOUpdateDownloadLimit](policy-csp-update.md#ignoremoupdatedownloadlimit)
- [ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds)
- [PauseDeferrals](policy-csp-update.md#pausedeferrals)
- [PauseFeatureUpdates](policy-csp-update.md#pausefeatureupdates)
- [PauseFeatureUpdatesStartTime](policy-csp-update.md#pausefeatureupdatesstarttime)
- [PauseQualityUpdates](policy-csp-update.md#pausequalityupdates)
- [PauseQualityUpdatesStartTime](policy-csp-update.md#pausequalityupdatesstarttime)
- [RequireDeferUpgrade](policy-csp-update.md#requiredeferupgrade)
- [RequireUpdateApproval](policy-csp-update.md#requireupdateapproval)
- [ScheduledInstallDay](policy-csp-update.md#scheduledinstallday)
- [ScheduledInstallEveryWeek](policy-csp-update.md#scheduledinstalleveryweek)
- [ScheduledInstallFirstWeek](policy-csp-update.md#scheduledinstallfirstweek)
- [ScheduledInstallFourthWeek](policy-csp-update.md#scheduledinstallfourthweek)
- [ScheduledInstallSecondWeek](policy-csp-update.md#scheduledinstallsecondweek)
- [ScheduledInstallThirdWeek](policy-csp-update.md#scheduledinstallthirdweek)
- [ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime)
- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md#setpolicydrivenupdatesourcefordriverupdates)
- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforfeatureupdates)
- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforotherupdates)
- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md#setpolicydrivenupdatesourceforqualityupdates)
- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md#setproxybehaviorforupdatedetection)
- [UpdateServiceUrl](policy-csp-update.md#updateserviceurl)
- [UpdateServiceUrlAlternate](policy-csp-update.md#updateserviceurlalternate)
## Wifi
- [AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing)
- [AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration)
- [AllowWiFi](policy-csp-wifi.md#allowwifi)
- [AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect)
- [WLANScanMode](policy-csp-wifi.md#wlanscanmode)
## WirelessDisplay
- [AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement)
- [AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#allowmdnsdiscovery)
- [AllowMovementDetectionOnInfrastructure](policy-csp-wirelessdisplay.md#allowmovementdetectiononinfrastructure)
- [AllowPCReceiverToBeTCPServer](policy-csp-wirelessdisplay.md#allowpcreceivertobetcpserver)
- [AllowPCSenderToBeTCPClient](policy-csp-wirelessdisplay.md#allowpcsendertobetcpclient)
- [AllowProjectionFromPC](policy-csp-wirelessdisplay.md#allowprojectionfrompc)
- [AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectionfrompcoverinfrastructure)
- [AllowProjectionToPC](policy-csp-wirelessdisplay.md#allowprojectiontopc)
- [AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectiontopcoverinfrastructure)
- [AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#allowuserinputfromwirelessdisplayreceiver)
- [RequirePinForPairing](policy-csp-wirelessdisplay.md#requirepinforpairing)
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

4
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -4,7 +4,7 @@ description: Learn more about the AboveLock Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -40,7 +40,7 @@ ms.topic: reference
<!-- AllowActionCenterNotifications-Description-Begin --> <!-- AllowActionCenterNotifications-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy is deprecated This policy is deprecated.
<!-- AllowActionCenterNotifications-Description-End --> <!-- AllowActionCenterNotifications-Description-End -->
<!-- AllowActionCenterNotifications-Editable-Begin --> <!-- AllowActionCenterNotifications-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Accounts Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -37,7 +37,7 @@ ms.topic: reference
<!-- AllowAddingNonMicrosoftAccountsManually-Description-Begin --> <!-- AllowAddingNonMicrosoftAccountsManually-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0 Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0.
> [!NOTE] > [!NOTE]
> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP. > This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP.
@ -138,10 +138,10 @@ Specifies whether the user is allowed to use an MSA account for non-email relate
<!-- AllowMicrosoftAccountSignInAssistant-Description-Begin --> <!-- AllowMicrosoftAccountSignInAssistant-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service.
> [!NOTE] > [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are.
> [!NOTE] > [!NOTE]
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to "step-up" from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. > If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to "step-up" from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.

19
windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -110,7 +110,7 @@ You can use this setting to direct users to the programs they are most likely to
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
- If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users.
This setting does not prevent users from using other tools and methods to add or remove program components. This setting does not prevent users from using other tools and methods to add or remove program components.
@ -173,7 +173,7 @@ This setting does not prevent users from using other tools and methods to add or
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
- If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users.
This setting does not prevent users from using other tools and methods to connect to Windows Update. This setting does not prevent users from using other tools and methods to connect to Windows Update.
@ -305,7 +305,7 @@ Removes the Add New Programs button from the Add or Remove Programs bar. As a re
The Add New Programs button lets users install programs published or assigned by a system administrator. The Add New Programs button lets users install programs published or assigned by a system administrator.
- If you disable this setting or do not configure it, the Add New Programs button is available to all users. If you disable this setting or do not configure it, the Add New Programs button is available to all users.
This setting does not prevent users from using other tools and methods to install programs. This setting does not prevent users from using other tools and methods to install programs.
<!-- NoAddPage-Description-End --> <!-- NoAddPage-Description-End -->
@ -369,7 +369,7 @@ This setting removes Add or Remove Programs from Control Panel and removes the A
Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
- If you disable this setting or do not configure it, Add or Remove Programs is available to all users. If you disable this setting or do not configure it, Add or Remove Programs is available to all users.
When enabled, this setting takes precedence over the other settings in this folder. When enabled, this setting takes precedence over the other settings in this folder.
@ -433,7 +433,7 @@ Removes the Set Program Access and Defaults button from the Add or Remove Progra
The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
- If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users.
This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent users from using other tools and methods to change program access or defaults.
@ -497,7 +497,7 @@ Removes the Change or Remove Programs button from the Add or Remove Programs bar
The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
- If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users.
This setting does not prevent users from using other tools and methods to delete or uninstall programs. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
<!-- NoRemovePage-Description-End --> <!-- NoRemovePage-Description-End -->
@ -560,6 +560,7 @@ Prevents users from using Add or Remove Programs to configure installed services
This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
- If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. - If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services.
- If you enable this setting, "Set up services" never appears. - If you enable this setting, "Set up services" never appears.
This setting does not prevent users from using other methods to configure services. This setting does not prevent users from using other methods to configure services.
@ -627,7 +628,7 @@ Removes links to the Support Info dialog box from programs on the Change or Remo
Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
- If you disable this setting or do not configure it, the Support Info hyperlink appears. If you disable this setting or do not configure it, the Support Info hyperlink appears.
> [!NOTE] > [!NOTE]
> Not all programs provide a support information hyperlink. > Not all programs provide a support information hyperlink.
@ -690,7 +691,7 @@ Removes the Add/Remove Windows Components button from the Add or Remove Programs
The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
- If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users.
This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
<!-- NoWindowsSetupPage-Description-End --> <!-- NoWindowsSetupPage-Description-End -->

5
windows/client-management/mdm/policy-csp-admx-appcompat.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppCompat Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -241,7 +241,8 @@ The Windows Resource Protection and User Account Control features of Windows use
This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes. > [!NOTE]
> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes.
<!-- AppCompatTurnOffEngine-Description-End --> <!-- AppCompatTurnOffEngine-Description-End -->
<!-- AppCompatTurnOffEngine-Editable-Begin --> <!-- AppCompatTurnOffEngine-Editable-Begin -->

3
windows/client-management/mdm/policy-csp-admx-auditsettings.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_AuditSettings Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -45,6 +45,7 @@ ms.topic: reference
This policy setting determines what information is logged in security audit events when a new process has been created. This policy setting determines what information is logged in security audit events when a new process has been created.
This setting only applies when the Audit Process Creation policy is enabled. This setting only applies when the Audit Process Creation policy is enabled.
- If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. - If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
- If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. - If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.

4
windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -117,7 +117,7 @@ NistP384
To See all the curves supported on the system, Use the following command: To See all the curves supported on the system, Use the following command:
CertUtil.exe -DisplayEccCurve CertUtil.exe -DisplayEccCurve.
<!-- SSLCurveOrder-Description-End --> <!-- SSLCurveOrder-Description-End -->
<!-- SSLCurveOrder-Editable-Begin --> <!-- SSLCurveOrder-Editable-Begin -->

5
windows/client-management/mdm/policy-csp-admx-controlpanel.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
- If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization. To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
@ -120,6 +120,7 @@ This policy setting controls the default Control Panel view, whether by category
- If this policy setting is disabled, the Control Panel opens to the category view. - If this policy setting is disabled, the Control Panel opens to the category view.
- If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. - If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session.
> [!NOTE] > [!NOTE]
> Icon size is dependent upon what the user has set it to in the previous session. > Icon size is dependent upon what the user has set it to in the previous session.
<!-- ForceClassicControlPanel-Description-End --> <!-- ForceClassicControlPanel-Description-End -->

20
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/13/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Disables the Display Control Panel. Disables the Display Control Panel.
- If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.
Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
<!-- CPL_Display_Disable-Description-End --> <!-- CPL_Display_Disable-Description-End -->
@ -537,7 +537,7 @@ Prevents users from changing the background image shown when the machine is lock
By default, users can change the background image shown when the machine is locked or displaying the logon screen. By default, users can change the background image shown when the machine is locked or displaying the logon screen.
- If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image.
<!-- CPL_Personalization_NoChangingLockScreen-Description-End --> <!-- CPL_Personalization_NoChangingLockScreen-Description-End -->
<!-- CPL_Personalization_NoChangingLockScreen-Editable-Begin --> <!-- CPL_Personalization_NoChangingLockScreen-Editable-Begin -->
@ -597,7 +597,7 @@ Prevents users from changing the look of their start menu background, such as it
By default, users can change the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent.
- If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them.
If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy.
@ -661,7 +661,7 @@ Disables the Color (or Window Color) page in the Personalization Control Panel,
This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.
- If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel.
For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel.
<!-- CPL_Personalization_NoColorAppearanceUI-Description-End --> <!-- CPL_Personalization_NoColorAppearanceUI-Description-End -->
@ -723,7 +723,7 @@ Prevents users from adding or changing the background design of the desktop.
By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop.
- If you enable this setting, none of the Desktop Background settings can be changed by the user. If you enable this setting, none of the Desktop Background settings can be changed by the user.
To specify wallpaper for a group, use the "Desktop Wallpaper" setting. To specify wallpaper for a group, use the "Desktop Wallpaper" setting.
@ -790,7 +790,7 @@ Prevents users from changing the desktop icons.
By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons.
- If you enable this setting, none of the desktop icons can be changed by the user. If you enable this setting, none of the desktop icons can be changed by the user.
For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel.
<!-- CPL_Personalization_NoDesktopIconsUI-Description-End --> <!-- CPL_Personalization_NoDesktopIconsUI-Description-End -->
@ -912,7 +912,7 @@ Prevents users from changing the mouse pointers.
By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers.
- If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. If you enable this setting, none of the mouse pointer scheme settings can be changed by the user.
<!-- CPL_Personalization_NoMousePointersUI-Description-End --> <!-- CPL_Personalization_NoMousePointersUI-Description-End -->
<!-- CPL_Personalization_NoMousePointersUI-Editable-Begin --> <!-- CPL_Personalization_NoMousePointersUI-Editable-Begin -->
@ -1030,7 +1030,7 @@ Prevents users from changing the sound scheme.
By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme.
- If you enable this setting, none of the Sound Scheme settings can be changed by the user. If you enable this setting, none of the Sound Scheme settings can be changed by the user.
<!-- CPL_Personalization_NoSoundSchemeUI-Description-End --> <!-- CPL_Personalization_NoSoundSchemeUI-Description-End -->
<!-- CPL_Personalization_NoSoundSchemeUI-Editable-Begin --> <!-- CPL_Personalization_NoSoundSchemeUI-Editable-Begin -->
@ -1090,7 +1090,7 @@ Forces Windows to use the specified colors for the background and accent. The co
By default, users can change the background and accent colors. By default, users can change the background and accent colors.
- If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
<!-- CPL_Personalization_PersonalColors-Description-End --> <!-- CPL_Personalization_PersonalColors-Description-End -->
<!-- CPL_Personalization_PersonalColors-Editable-Begin --> <!-- CPL_Personalization_PersonalColors-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-credentialproviders.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CredentialProviders Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -173,7 +173,7 @@ credential providers from use during authentication.
**Note** credential providers are used to process and validate user **Note** credential providers are used to process and validate user
credentials during logon or when authentication is required. credentials during logon or when authentication is required.
Windows Vista provides two default credential providers Windows Vista provides two default credential providers:
Password and Smart Card. An administrator can install additional Password and Smart Card. An administrator can install additional
credential providers for different sets of credentials credential providers for different sets of credentials
(for example, to support biometric authentication). (for example, to support biometric authentication).

44
windows/client-management/mdm/policy-csp-admx-credssp.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CredSsp Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -50,7 +50,7 @@ This policy setting applies when server authentication was achieved by using a t
The policy becomes effective the next time the user signs on to a computer running Windows. The policy becomes effective the next time the user signs on to a computer running Windows.
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. - If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
FWlink for KB: FWlink for KB:
<https://go.microsoft.com/fwlink/?LinkId=301508> <https://go.microsoft.com/fwlink/?LinkId=301508>
@ -61,7 +61,7 @@ FWlink for KB:
For Example: For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com.
<!-- AllowDefaultCredentials-Description-End --> <!-- AllowDefaultCredentials-Description-End -->
<!-- AllowDefaultCredentials-Editable-Begin --> <!-- AllowDefaultCredentials-Editable-Begin -->
@ -123,7 +123,7 @@ This policy setting applies when server authentication was achieved via NTLM.
- If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). - If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. - If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine.
> [!NOTE] > [!NOTE]
> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. > The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -131,7 +131,7 @@ If you disable or do not configure (by default) this policy setting, delegation
For Example: For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com.
<!-- AllowDefCredentialsWhenNTLMOnly-Description-End --> <!-- AllowDefCredentialsWhenNTLMOnly-Description-End -->
<!-- AllowDefCredentialsWhenNTLMOnly-Editable-Begin --> <!-- AllowDefCredentialsWhenNTLMOnly-Editable-Begin -->
@ -189,19 +189,19 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Encryption Oracle Remediation Encryption Oracle Remediation
This policy setting applies to applications using the CredSSP component (for example Remote Desktop Connection). This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).
Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.
- If you enable this policy setting, CredSSP version support will be selected based on the following options If you enable this policy setting, CredSSP version support will be selected based on the following options:
Force Updated Clients Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. **Note** this setting should not be deployed until all remote hosts support the newest version. Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. **Note** this setting should not be deployed until all remote hosts support the newest version.
Mitigated Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
Vulnerable Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
For more information about the vulnerability and servicing requirements for protection, see <https//go.microsoft.com/fwlink/?linkid=866660> For more information about the vulnerability and servicing requirements for protection, see <https://go.microsoft.com/fwlink/?linkid=866660>
<!-- AllowEncryptionOracle-Description-End --> <!-- AllowEncryptionOracle-Description-End -->
<!-- AllowEncryptionOracle-Editable-Begin --> <!-- AllowEncryptionOracle-Editable-Begin -->
@ -262,7 +262,7 @@ This policy setting applies when server authentication was achieved via a truste
- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). - If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). - If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. - If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
@ -273,7 +273,7 @@ For Example:
TERMSRV/host.humanresources.fabrikam.com TERMSRV/host.humanresources.fabrikam.com
Remote Desktop Session Host running on host.humanresources.fabrikam.com machine Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com.
<!-- AllowFreshCredentials-Description-End --> <!-- AllowFreshCredentials-Description-End -->
<!-- AllowFreshCredentials-Editable-Begin --> <!-- AllowFreshCredentials-Editable-Begin -->
@ -335,7 +335,7 @@ This policy setting applies when server authentication was achieved via NTLM.
- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). - If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). - If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. - If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
@ -345,7 +345,7 @@ If you do not configure (by default) this policy setting, after proper mutual au
For Example: For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com.
<!-- AllowFreshCredentialsWhenNTLMOnly-Description-End --> <!-- AllowFreshCredentialsWhenNTLMOnly-Description-End -->
<!-- AllowFreshCredentialsWhenNTLMOnly-Editable-Begin --> <!-- AllowFreshCredentialsWhenNTLMOnly-Editable-Begin -->
@ -407,7 +407,7 @@ This policy setting applies when server authentication was achieved via a truste
- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). - If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). - If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
- If you disable this policy setting, delegation of saved credentials is not permitted to any machine. - If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
@ -417,7 +417,7 @@ If you do not configure (by default) this policy setting, after proper mutual au
For Example: For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com.
<!-- AllowSavedCredentials-Description-End --> <!-- AllowSavedCredentials-Description-End -->
<!-- AllowSavedCredentials-Editable-Begin --> <!-- AllowSavedCredentials-Editable-Begin -->
@ -479,7 +479,7 @@ This policy setting applies when server authentication was achieved via NTLM.
- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). - If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. - If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
- If you disable this policy setting, delegation of saved credentials is not permitted to any machine. - If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
@ -489,7 +489,7 @@ If you do not configure (by default) this policy setting, after proper mutual au
For Example: For Example:
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/* Remote Desktop Session Host running on all machines.
TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com.
<!-- AllowSavedCredentialsWhenNTLMOnly-Description-End --> <!-- AllowSavedCredentialsWhenNTLMOnly-Description-End -->
<!-- AllowSavedCredentialsWhenNTLMOnly-Editable-Begin --> <!-- AllowSavedCredentialsWhenNTLMOnly-Editable-Begin -->
@ -549,7 +549,7 @@ This policy setting applies to applications using the Cred SSP component (for ex
- If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). - If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. - If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
> [!NOTE] > [!NOTE]
> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. > The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -619,7 +619,7 @@ This policy setting applies to applications using the Cred SSP component (for ex
- If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). - If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. - If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
> [!NOTE] > [!NOTE]
> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. > The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -689,7 +689,7 @@ This policy setting applies to applications using the Cred SSP component (for ex
- If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). - If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. - If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
> [!NOTE] > [!NOTE]
> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. > The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.

4
windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting prevents users from changing their Windows password on demand. This policy setting prevents users from changing their Windows password on demand.
- If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
<!-- DisableChangePassword-Description-End --> <!-- DisableChangePassword-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-datacollection.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DataCollection Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting defines the identifier used to uniquely associate this device's diagnostic data data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. This policy setting defines the identifier used to uniquely associate this device's diagnostic data data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
- If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization.
<!-- CommercialIdPolicy-Description-End --> <!-- CommercialIdPolicy-Description-End -->
<!-- CommercialIdPolicy-Editable-Begin --> <!-- CommercialIdPolicy-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-dcom.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DCOM Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -107,7 +107,7 @@ Allows you to specify that local computer administrators can supplement the "Def
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.
DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors. DCOM server appids added to this policy must be listed in curly-brace format. For Example: `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. - If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings.

14
windows/client-management/mdm/policy-csp-admx-desktop.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Desktop Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -233,7 +233,7 @@ Enables Active Desktop and prevents users from disabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE] > [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
@ -296,7 +296,7 @@ Disables Active Desktop and prevents users from enabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE] > [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. > If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
@ -1098,7 +1098,7 @@ Removes the Properties option from the Recycle Bin context menu.
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevents users from saving certain changes to the desktop. Prevents users from saving certain changes to the desktop.
- If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
<!-- NoSaveSettings-Description-End --> <!-- NoSaveSettings-Description-End -->
<!-- NoSaveSettings-Editable-Begin --> <!-- NoSaveSettings-Editable-Begin -->
@ -1343,7 +1343,7 @@ Prevents users from removing Web content from their Active Desktop.
In Active Desktop, you can add items to the desktop but close them so they are not displayed. In Active Desktop, you can add items to the desktop but close them so they are not displayed.
- If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
> [!NOTE] > [!NOTE]
> This setting does not prevent users from deleting items from their Active Desktop. > This setting does not prevent users from deleting items from their Active Desktop.
@ -1585,7 +1585,7 @@ This setting removes all Active Desktop items from the desktop. It also removes
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevents users from manipulating desktop toolbars. Prevents users from manipulating desktop toolbars.
- If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
> [!NOTE] > [!NOTE]
> If users have added or removed toolbars, this setting prevents them from restoring the default configuration. > If users have added or removed toolbars, this setting prevents them from restoring the default configuration.
@ -1776,7 +1776,7 @@ This setting lets you specify the wallpaper on users' desktops and prevents user
To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification.
- If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.

7
windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -45,6 +45,7 @@ ms.topic: reference
This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
- If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. - If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device.
- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. - If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
- If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. - If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
@ -345,9 +346,11 @@ This policy setting establishes the amount of time (in seconds) that the system
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
NOTE: To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. > [!NOTE]
> To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
- If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. - If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated.
- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. - If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
- If you disable or do not configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings. - If you disable or do not configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings.

6
windows/client-management/mdm/policy-csp-admx-diskquota.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_DiskQuota Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -189,7 +189,7 @@ This setting overrides new users' settings for the disk quota limit and warning
This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
- If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level.
When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
@ -384,7 +384,7 @@ This policy setting does not affect the Quota Entries window on the Quota tab. E
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media. This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media.
- If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
> [!NOTE] > [!NOTE]
> When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. > When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media.

5
windows/client-management/mdm/policy-csp-admx-errorreporting.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ErrorReporting Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -243,6 +243,7 @@ This policy setting does not enable or disable Windows Error Reporting. To turn
> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. > If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting.
- If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). - If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel).
- If you enable this policy setting, you can configure the following settings in the policy setting: - If you enable this policy setting, you can configure the following settings in the policy setting:
- "Do not display links to any Microsoft 'More information' websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites. - "Do not display links to any Microsoft 'More information' websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites.
@ -1425,6 +1426,7 @@ This policy setting turns off Windows Error Reporting, so that reports are not c
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. - If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE.
- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. - If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. - If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
@ -1485,6 +1487,7 @@ This policy setting limits Windows Error Reporting behavior for errors in genera
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. - If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE.
- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. - If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. - If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.

4
windows/client-management/mdm/policy-csp-admx-eventlog.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventLog Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -973,7 +973,7 @@ This policy setting controls Event Log behavior when the log file reaches its ma
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting turns on logging. This policy setting turns on logging.
- If you enable or do not configure this policy setting, then events can be written to this log. If you enable or do not configure this policy setting, then events can be written to this log.
If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
<!-- Channel_LogEnabled-Description-End --> <!-- Channel_LogEnabled-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-eventviewer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventViewer Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -97,7 +97,7 @@ This is the program that will be invoked when the user clicks the events.asp lin
<!-- EventViewer_RedirectionProgramCommandLineParameters-Description-Begin --> <!-- EventViewer_RedirectionProgramCommandLineParameters-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This specifies the command line parameters that will be passed to the events.asp program This specifies the command line parameters that will be passed to the events.asp program.
<!-- EventViewer_RedirectionProgramCommandLineParameters-Description-End --> <!-- EventViewer_RedirectionProgramCommandLineParameters-Description-End -->
<!-- EventViewer_RedirectionProgramCommandLineParameters-Editable-Begin --> <!-- EventViewer_RedirectionProgramCommandLineParameters-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-explorer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Explorer Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -165,7 +165,7 @@ This policy setting configures File Explorer to always display the menu bar.
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values.
- If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur.
<!-- DisableRoamedProfileInit-Description-End --> <!-- DisableRoamedProfileInit-Description-End -->
<!-- DisableRoamedProfileInit-Editable-Begin --> <!-- DisableRoamedProfileInit-Editable-Begin -->

9
windows/client-management/mdm/policy-csp-admx-filesys.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_FileSys Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.
A reboot is required for this setting to take effect A reboot is required for this setting to take effect.
<!-- DisableCompression-Description-End --> <!-- DisableCompression-Description-End -->
<!-- DisableCompression-Editable-Begin --> <!-- DisableCompression-Editable-Begin -->
@ -161,7 +161,7 @@ A value of 1 will disable delete notifications for all volumes.
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
A reboot is required for this setting to take effect A reboot is required for this setting to take effect.
<!-- DisableEncryption-Description-End --> <!-- DisableEncryption-Description-End -->
<!-- DisableEncryption-Editable-Begin --> <!-- DisableEncryption-Editable-Begin -->
@ -395,7 +395,8 @@ Remote Link to Local Target
For further information please refer to the Windows Help section For further information please refer to the Windows Help section
NOTE: If this policy is Disabled or Not Configured, local administrators may select the types of symbolic links to be evaluated. > [!NOTE]
> If this policy is Disabled or Not Configured, local administrators may select the types of symbolic links to be evaluated.
<!-- SymlinkEvaluation-Description-End --> <!-- SymlinkEvaluation-Description-End -->
<!-- SymlinkEvaluation-Editable-Begin --> <!-- SymlinkEvaluation-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-folderredirection.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_FolderRedirection Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -115,7 +115,7 @@ This policy setting allows you to control whether individual redirected shell fo
For the folders affected by this setting, users must manually select the files they wish to make available offline. For the folders affected by this setting, users must manually select the files they wish to make available offline.
- If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline.
> [!NOTE] > [!NOTE]
> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. > This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface.

8
windows/client-management/mdm/policy-csp-admx-framepanes.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_FramePanes Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,9 +44,9 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting shows or hides the Details Pane in File Explorer. This policy setting shows or hides the Details Pane in File Explorer.
- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user.
- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user.
> [!NOTE] > [!NOTE]
> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time. > This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time.
@ -108,7 +108,7 @@ If you disable, or do not configure this policy setting, the Details Pane is hid
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Hides the Preview Pane in File Explorer. Hides the Preview Pane in File Explorer.
- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user.
If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user.
<!-- NoReadingPane-Description-End --> <!-- NoReadingPane-Description-End -->

27
windows/client-management/mdm/policy-csp-admx-grouppolicy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_GroupPolicy Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -47,10 +47,10 @@ This policy setting allows user-based policy processing, roaming user profiles,
This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists.
- If you do not configure this policy setting: - If you do not configure this policy setting:
- No user-based policy settings are applied from the user's forest. - No user-based policy settings are applied from the user's forest.
- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. - Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. - Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer.
- An event log message (1109) is posted, stating that loopback was invoked in Replace mode. - An event log message (1109) is posted, stating that loopback was invoked in Replace mode.
- If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. - If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest.
@ -1117,7 +1117,8 @@ Changing the status of this setting to Enabled will keep any source files from c
Changing the status of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp. Changing the status of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp.
NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. > [!NOTE]
> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled.
<!-- DisableAutoADMUpdate-Description-End --> <!-- DisableAutoADMUpdate-Description-End -->
<!-- DisableAutoADMUpdate-Editable-Begin --> <!-- DisableAutoADMUpdate-Editable-Begin -->
@ -1496,6 +1497,7 @@ The timeout value that is defined in this policy setting determines how long Gro
<!-- EnableLogonOptimizationOnServerSKU-Description-Begin --> <!-- EnableLogonOptimizationOnServerSKU-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. This policy setting allows you to configure Group Policy caching behavior on Windows Server machines.
- If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) - If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.)
The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds.
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds.
@ -1819,7 +1821,7 @@ The system's response to a slow policy connection varies among policies. The pro
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
> [!NOTE] > [!NOTE]
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. > If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
@ -1889,7 +1891,7 @@ The system's response to a slow policy connection varies among policies. The pro
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
> [!NOTE] > [!NOTE]
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. > If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
@ -2231,7 +2233,7 @@ This setting allows you to specify the default name for new Group Policy objects
The display name can contain environment variables and can be a maximum of 255 characters long. The display name can contain environment variables and can be a maximum of 255 characters long.
- If this setting is disabled or Not Configured, the default display name of New Group Policy object is used. If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used.
<!-- NewGPODisplayName-Description-End --> <!-- NewGPODisplayName-Description-End -->
<!-- NewGPODisplayName-Editable-Begin --> <!-- NewGPODisplayName-Editable-Begin -->
@ -2694,12 +2696,10 @@ This policy directs Group Policy processing to skip processing any client side e
- If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. - If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner.
Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials, Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials,
which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available.
> [!NOTE] **Note** that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection
> that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection
and Drive Maps preference extension will not be applied. and Drive Maps preference extension will not be applied.
> [!NOTE] **Note** There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled:
> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled:
1 - At the first computer startup after the client computer has joined the domain. 1 - At the first computer startup after the client computer has joined the domain.
2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled.
@ -2821,6 +2821,7 @@ This policy setting specifies how long Group Policy should wait for network avai
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy Objects determine which user settings apply. By default, the user's Group Policy Objects determine which user settings apply.
- If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. - If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
- If you enable this setting, you can select one of the following modes from the Mode box: - If you enable this setting, you can select one of the following modes from the Mode box:

6
windows/client-management/mdm/policy-csp-admx-help.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Help Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -187,7 +187,7 @@ This policy setting allows you to restrict programs from being run from online H
> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. > You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.
> [!NOTE] > [!NOTE]
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help > This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
<!-- RestrictRunFromHelp-Description-End --> <!-- RestrictRunFromHelp-Description-End -->
<!-- RestrictRunFromHelp-Editable-Begin --> <!-- RestrictRunFromHelp-Editable-Begin -->
@ -252,7 +252,7 @@ This policy setting allows you to restrict programs from being run from online H
> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. > You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.
> [!NOTE] > [!NOTE]
> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help > This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help.
<!-- RestrictRunFromHelp_Comp-Description-End --> <!-- RestrictRunFromHelp_Comp-Description-End -->
<!-- RestrictRunFromHelp_Comp-Editable-Begin --> <!-- RestrictRunFromHelp_Comp-Editable-Begin -->

3
windows/client-management/mdm/policy-csp-admx-iis.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_IIS Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -43,6 +43,7 @@ ms.topic: reference
<!-- PreventIISInstall-Description-Begin --> <!-- PreventIISInstall-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
"This policy setting prevents installation of Internet Information Services (IIS) on this computer. "This policy setting prevents installation of Internet Information Services (IIS) on this computer.
- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. - If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer.
- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." - If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run."
<!-- PreventIISInstall-Description-End --> <!-- PreventIISInstall-Description-End -->

12
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_kdc Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -59,8 +59,8 @@ Domain functional level requirements
For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected.
When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and: When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and:
- If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST).
- If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages. - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages.
> [!WARNING] > [!WARNING]
> When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. > When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller.
@ -68,9 +68,9 @@ When the domain functional level is set to Windows Server 2012 then the domain c
To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled). To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled).
Impact on domain controller performance when this policy setting is enabled: Impact on domain controller performance when this policy setting is enabled:
- Secure Kerberos domain capability discovery is required resulting in additional message exchanges. - Secure Kerberos domain capability discovery is required resulting in additional message exchanges.
- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. - Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size. - Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size.
<!-- CbacAndArmor-Description-End --> <!-- CbacAndArmor-Description-End -->
<!-- CbacAndArmor-Editable-Begin --> <!-- CbacAndArmor-Editable-Begin -->

3
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Kerberos Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -237,6 +237,7 @@ This policy setting allows you to specify which DNS host names and which DNS suf
This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
- If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. - If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections.
> [!WARNING] > [!WARNING]
> When revocation check is ignored, the server represented by the certificate is not guaranteed valid. > When revocation check is ignored, the server represented by the certificate is not guaranteed valid.

6
windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -49,8 +49,8 @@ This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses
- If you disable this policy setting, the DPS is not able to diagnose memory leak problems. - If you disable this policy setting, the DPS is not able to diagnose memory leak problems.
This policy setting takes effect only under the following conditions: This policy setting takes effect only under the following conditions:
- If the diagnostics-wide scenario execution policy is not configured. - If the diagnostics-wide scenario execution policy is not configured.
- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. - When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed.
> [!NOTE] > [!NOTE]
> The DPS can be configured with the Services snap-in to the Microsoft Management Console. > The DPS can be configured with the Services snap-in to the Microsoft Management Console.

10
windows/client-management/mdm/policy-csp-admx-logon.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Logon Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -839,15 +839,15 @@ If a user with a roaming profile, home directory, or user object logon script lo
On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup).
If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon:
- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and - The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and
- The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. - The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\.
If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon).
- If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. - If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background.
**Note** **Note**:
-If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. -If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy.
-If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. -If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available.
<!-- SyncForegroundPolicy-Description-End --> <!-- SyncForegroundPolicy-Description-End -->

47
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -589,7 +589,7 @@ This policy setting allows you to disable scheduled and real-time scanning for f
<!-- Exclusions_Processes-Description-Begin --> <!-- Exclusions_Processes-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as "c\windows\app.exe". The value is not used and it is recommended that this be set to 0. This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
<!-- Exclusions_Processes-Description-End --> <!-- Exclusions_Processes-Description-End -->
<!-- Exclusions_Processes-Editable-Begin --> <!-- Exclusions_Processes-Editable-Begin -->
@ -650,8 +650,8 @@ Exclude files and paths from Attack Surface Reduction (ASR) rules.
Enabled: Enabled:
Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
Enter each rule on a new line as a name-value pair: Enter each rule on a new line as a name-value pair:
- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder - Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder
- Value column: Enter "0" for each item - Value column: Enter "0" for each item
Disabled: Disabled:
No exclusions will be applied to the ASR rules. No exclusions will be applied to the ASR rules.
@ -718,26 +718,26 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
Set the state for each Attack Surface Reduction (ASR) rule. Set the state for each Attack Surface Reduction (ASR) rule.
After enabling this setting, you can set each rule to the following in the Options section: After enabling this setting, you can set each rule to the following in the Options section:
- Block: the rule will be applied - Block: the rule will be applied
- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
- Off: the rule will not be applied - Off: the rule will not be applied
- Not Configured: the rule is enabled with default values - Not Configured: the rule is enabled with default values
- Warn: the rule will be applied and the end-user will have the option to bypass the block - Warn: the rule will be applied and the end-user will have the option to bypass the block
Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured. Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules with the value of not configured.
Enabled: Enabled:
Specify the state for each ASR rule under the Options section for this setting. Specify the state for each ASR rule under the Options section for this setting.
Enter each rule on a new line as a name-value pair: Enter each rule on a new line as a name-value pair:
- Name column: Enter a valid ASR rule ID - Name column: Enter a valid ASR rule ID
- Value column: Enter the status ID that relates to state you want to specify for the associated rule - Value column: Enter the status ID that relates to state you want to specify for the associated rule
The following status IDs are permitted under the value column: The following status IDs are permitted under the value column:
- 1 (Block) - 1 (Block)
- 0 (Off) - 0 (Off)
- 2 (Audit) - 2 (Audit)
- 5 (Not Configured) - 5 (Not Configured)
- 6 (Warn) - 6 (Warn)
Example: Example:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
@ -1511,6 +1511,7 @@ This policy setting defines the number of days items should be kept in the Quara
This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours. This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours.
- If you disable or do not configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. - If you disable or do not configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours. - If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours.
<!-- RandomizeScheduleTaskTimes-Description-End --> <!-- RandomizeScheduleTaskTimes-Description-End -->
@ -2823,7 +2824,7 @@ Tracing levels are defined as:
1 - Error 1 - Error
2 - Warning 2 - Warning
3 - Info 3 - Info
4 - Debug 4 - Debug.
<!-- Reporting_WppTracingLevel-Description-End --> <!-- Reporting_WppTracingLevel-Description-End -->
<!-- Reporting_WppTracingLevel-Editable-Begin --> <!-- Reporting_WppTracingLevel-Editable-Begin -->
@ -4742,7 +4743,7 @@ This policy setting allows you to configure security intelligence updates on sta
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares"
For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } For Example: `{ InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }`
- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. - If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
@ -5054,7 +5055,7 @@ This policy setting allows you to specify the time of day at which to check for
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to define the security intelligence location for VDI-configured computers. This policy setting allows you to define the security intelligence location for VDI-configured computers.
- If you disable or do not configure this setting, security intelligence will be referred from the default local source. If you disable or do not configure this setting, security intelligence will be referred from the default local source.
<!-- SignatureUpdate_SharedSignaturesLocation-Description-End --> <!-- SignatureUpdate_SharedSignaturesLocation-Description-End -->
<!-- SignatureUpdate_SharedSignaturesLocation-Editable-Begin --> <!-- SignatureUpdate_SharedSignaturesLocation-Editable-Begin -->
@ -5427,7 +5428,7 @@ This policy setting customize which remediation action will be taken for each li
Valid remediation action values are: Valid remediation action values are:
2 = Quarantine 2 = Quarantine
3 = Remove 3 = Remove
6 = Ignore 6 = Ignore.
<!-- Threats_ThreatIdDefaultAction-Description-End --> <!-- Threats_ThreatIdDefaultAction-Description-End -->
<!-- Threats_ThreatIdDefaultAction-Editable-Begin --> <!-- Threats_ThreatIdDefaultAction-Editable-Begin -->
@ -5603,7 +5604,7 @@ Use this policy setting to specify if you want Microsoft Defender Antivirus noti
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
- If you enable this setting AM UI won't show reboot notifications. If you enable this setting AM UI won't show reboot notifications.
<!-- UX_Configuration_SuppressRebootNotification-Description-End --> <!-- UX_Configuration_SuppressRebootNotification-Description-End -->
<!-- UX_Configuration_SuppressRebootNotification-Editable-Begin --> <!-- UX_Configuration_SuppressRebootNotification-Editable-Begin -->
@ -5660,7 +5661,7 @@ This policy setting allows user to supress reboot notifications in UI only mode
<!-- UX_Configuration_UILockdown-Description-Begin --> <!-- UX_Configuration_UILockdown-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure whether or not to display AM UI to the users. This policy setting allows you to configure whether or not to display AM UI to the users.
- If you enable this setting AM UI won't be available to users. If you enable this setting AM UI won't be available to users.
<!-- UX_Configuration_UILockdown-Description-End --> <!-- UX_Configuration_UILockdown-Description-End -->
<!-- UX_Configuration_UILockdown-Editable-Begin --> <!-- UX_Configuration_UILockdown-Editable-Begin -->

10
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MMC Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Permits or prohibits use of this snap-in. Permits or prohibits use of this snap-in.
- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
@ -114,7 +114,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Permits or prohibits use of this snap-in. Permits or prohibits use of this snap-in.
- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
@ -184,7 +184,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Permits or prohibits use of this snap-in. Permits or prohibits use of this snap-in.
- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
@ -260,7 +260,7 @@ As a result, users cannot create console files or add or remove snap-ins. Also,
This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt. This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt.
- If you disable this setting or do not configure it, users can enter author mode and open author-mode console files. If you disable this setting or do not configure it, users can enter author mode and open author-mode console files.
<!-- MMC_Restrict_Author-Description-End --> <!-- MMC_Restrict_Author-Description-End -->
<!-- MMC_Restrict_Author-Editable-Begin --> <!-- MMC_Restrict_Author-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MMCSnapins Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -2564,7 +2564,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.
- If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed. If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed.

3
windows/client-management/mdm/policy-csp-admx-msapolicy.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSAPolicy Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -43,6 +43,7 @@ ms.topic: reference
<!-- MicrosoftAccount_DisableUserAuth-Description-Begin --> <!-- MicrosoftAccount_DisableUserAuth-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This setting controls whether users can provide Microsoft accounts for authentication for applications or services. This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
- If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. - If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.

3
windows/client-management/mdm/policy-csp-admx-msdt.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSDT Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -115,6 +115,7 @@ Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by
These tools are required to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the root cause of the problem. These tools are required to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the root cause of the problem.
- If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. - If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only.
- If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading. - If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading.
- If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. - If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers.

10
windows/client-management/mdm/policy-csp-admx-msi.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSI Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -551,7 +551,7 @@ Also, see the "Enable user to use media source while elevated" and "Hide the 'Ad
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting restricts the use of Windows Installer. This policy setting restricts the use of Windows Installer.
- If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.
- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. - The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured.
@ -681,7 +681,7 @@ Also, see the "Enable user to patch elevated products" policy setting.
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
@ -743,7 +743,7 @@ This policy setting appears in the Computer Configuration and User Configuration
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
@ -1303,7 +1303,7 @@ When you enable this policy setting, you can specify the types of events you wan
To disable logging, delete all of the letters from the box. To disable logging, delete all of the letters from the box.
- If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
<!-- MSILogging-Description-End --> <!-- MSILogging-Description-End -->
<!-- MSILogging-Editable-Begin --> <!-- MSILogging-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-admx-nca.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_nca Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -56,7 +56,7 @@ We recommend that you use FQDNs instead of IPv6 addresses wherever possible.
At least one of the entries must be a PING: resource. At least one of the entries must be a PING: resource.
- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:<https://myserver.corp.contoso.com/> or HTTP:https://2002:836b:1::1/. - A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. - A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
@ -290,7 +290,7 @@ If this setting is not configured, the string that appears for DirectAccess conn
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. **Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the [Name Resolution Policy Table](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593632(v=ws.11)) (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. **Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
The ability to disconnect allows users to specify single-label, unqualified names (such as "PRINTSVR") for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet. The ability to disconnect allows users to specify single-label, unqualified names (such as "PRINTSVR") for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet.

5
windows/client-management/mdm/policy-csp-admx-ncsi.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_NCSI Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -317,8 +317,7 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit
<!-- NCSI_GlobalDns-Description-Begin --> <!-- NCSI_GlobalDns-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
- If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
<!-- NCSI_GlobalDns-Description-End --> <!-- NCSI_GlobalDns-Description-End -->
<!-- NCSI_GlobalDns-Editable-Begin --> <!-- NCSI_GlobalDns-Editable-Begin -->

27
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Netlogon Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -54,7 +54,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2. To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_AddressLookupOnPingBehavior-Description-End --> <!-- Netlogon_AddressLookupOnPingBehavior-Description-End -->
<!-- Netlogon_AddressLookupOnPingBehavior-Editable-Begin --> <!-- Netlogon_AddressLookupOnPingBehavior-Editable-Begin -->
@ -955,7 +955,7 @@ DCs configured to perform dynamic registration of the DC Locator DNS resource re
To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes). To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes).
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_DnsRefreshInterval-Description-End --> <!-- Netlogon_DnsRefreshInterval-Description-End -->
<!-- Netlogon_DnsRefreshInterval-Editable-Begin --> <!-- Netlogon_DnsRefreshInterval-Editable-Begin -->
@ -1082,7 +1082,7 @@ This policy setting specifies the value for the Time-To-Live (TTL) field in SRV
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_DnsTtl-Description-End --> <!-- Netlogon_DnsTtl-Description-End -->
<!-- Netlogon_DnsTtl-Editable-Begin --> <!-- Netlogon_DnsTtl-Editable-Begin -->
@ -1141,7 +1141,7 @@ This policy setting specifies the additional time for the computer to wait for t
To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_ExpectedDialupDelay-Description-End --> <!-- Netlogon_ExpectedDialupDelay-Description-End -->
<!-- Netlogon_ExpectedDialupDelay-Editable-Begin --> <!-- Netlogon_ExpectedDialupDelay-Editable-Begin -->
@ -1265,7 +1265,7 @@ The GC Locator DNS records and the site-specific SRV records are dynamically reg
To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format. To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format.
- If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
<!-- Netlogon_GcSiteCoverage-Description-End --> <!-- Netlogon_GcSiteCoverage-Description-End -->
<!-- Netlogon_GcSiteCoverage-Editable-Begin --> <!-- Netlogon_GcSiteCoverage-Editable-Begin -->
@ -1391,7 +1391,7 @@ The Priority field in the SRV record sets the preference for target hosts (speci
To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535. To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_LdapSrvPriority-Description-End --> <!-- Netlogon_LdapSrvPriority-Description-End -->
<!-- Netlogon_LdapSrvPriority-Editable-Begin --> <!-- Netlogon_LdapSrvPriority-Editable-Begin -->
@ -1452,7 +1452,7 @@ The Weight field in the SRV record can be used in addition to the Priority value
To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535. To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_LdapSrvWeight-Description-End --> <!-- Netlogon_LdapSrvWeight-Description-End -->
<!-- Netlogon_LdapSrvWeight-Editable-Begin --> <!-- Netlogon_LdapSrvWeight-Editable-Begin -->
@ -1510,6 +1510,7 @@ To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
By default, the maximum size of the log file is 20MB. By default, the maximum size of the log file is 20MB.
- If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. - If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
- If you disable or do not configure this policy setting, the default behavior occurs as indicated above. - If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
@ -1573,7 +1574,7 @@ The application directory partition DC Locator DNS records and the site-specific
To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format. To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_NdncSiteCoverage-Description-End --> <!-- Netlogon_NdncSiteCoverage-Description-End -->
<!-- Netlogon_NdncSiteCoverage-Editable-Begin --> <!-- Netlogon_NdncSiteCoverage-Editable-Begin -->
@ -1823,7 +1824,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2. To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_PingUrgencyMode-Description-End --> <!-- Netlogon_PingUrgencyMode-Description-End -->
<!-- Netlogon_PingUrgencyMode-Editable-Begin --> <!-- Netlogon_PingUrgencyMode-Editable-Begin -->
@ -1949,7 +1950,7 @@ The DC Locator DNS records are dynamically registered by the Net Logon service,
To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format. To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_SiteCoverage-Description-End --> <!-- Netlogon_SiteCoverage-Description-End -->
<!-- Netlogon_SiteCoverage-Editable-Begin --> <!-- Netlogon_SiteCoverage-Editable-Begin -->
@ -2010,7 +2011,7 @@ An Active Directory site is one or more well-connected TCP/IP subnets that allow
To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory. To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_SiteName-Description-End --> <!-- Netlogon_SiteName-Description-End -->
<!-- Netlogon_SiteName-Editable-Begin --> <!-- Netlogon_SiteName-Editable-Begin -->
@ -2076,7 +2077,7 @@ By default, the SYSVOL share will grant shared read access to files on the share
> [!NOTE] > [!NOTE]
> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased. > The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
<!-- Netlogon_SysvolShareCompatibilityMode-Description-End --> <!-- Netlogon_SysvolShareCompatibilityMode-Description-End -->
<!-- Netlogon_SysvolShareCompatibilityMode-Editable-Begin --> <!-- Netlogon_SysvolShareCompatibilityMode-Editable-Begin -->

8
windows/client-management/mdm/policy-csp-admx-networkconnections.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_NetworkConnections Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -544,7 +544,7 @@ Specifies whether or not the "local access only" network icon will be shown.
When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only.
- If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only.
<!-- NC_DoNotShowLocalOnlyIcon-Description-End --> <!-- NC_DoNotShowLocalOnlyIcon-Description-End -->
<!-- NC_DoNotShowLocalOnlyIcon-Editable-Begin --> <!-- NC_DoNotShowLocalOnlyIcon-Editable-Begin -->
@ -950,6 +950,7 @@ This setting determines whether the Properties menu item is enabled, and thus, w
> [!NOTE] > [!NOTE]
> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. > This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box.
- If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. - If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users.
> [!NOTE] > [!NOTE]
@ -1378,6 +1379,7 @@ This setting determines whether the Properties menu item is enabled, and thus, w
> [!NOTE] > [!NOTE]
> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. > This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box.
- If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. - If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users.
> [!NOTE] > [!NOTE]
@ -1445,7 +1447,7 @@ To create an all-user connection, on the Connection Availability page in the New
- If you disable this setting, the Rename option is disabled for nonadministrators only. - If you disable this setting, the Rename option is disabled for nonadministrators only.
If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. - If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections.
> [!NOTE] > [!NOTE]
> This setting does not apply to Administrators > This setting does not apply to Administrators

16
windows/client-management/mdm/policy-csp-admx-offlinefiles.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1642,7 +1642,7 @@ Hides or displays reminder balloons, and prevents users from changing the settin
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.
If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding them.
@ -1713,7 +1713,7 @@ Hides or displays reminder balloons, and prevents users from changing the settin
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.
If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding them.
@ -1847,7 +1847,7 @@ Deletes local copies of the user's offline files when the user logs off.
This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files.
- If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use. If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use.
> [!CAUTION] > [!CAUTION]
> Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. > Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost.
@ -1968,7 +1968,7 @@ This policy setting allows you to turn on economical application of administrati
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Determines how often reminder balloon updates appear. Determines how often reminder balloon updates appear.
- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.
@ -2032,7 +2032,7 @@ This setting appears in the Computer Configuration and User Configuration folder
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Determines how often reminder balloon updates appear. Determines how often reminder balloon updates appear.
- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.
@ -2744,7 +2744,7 @@ Determines whether offline files are synchonized before a computer is suspended.
- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. - If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. - If you disable or do not configuring this setting, files are not synchronized when the computer is suspended.
> [!NOTE] > [!NOTE]
> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed.
@ -2806,7 +2806,7 @@ Determines whether offline files are synchonized before a computer is suspended.
- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. - If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. - If you disable or do not configuring this setting, files are not synchronized when the computer is suspended.
> [!NOTE] > [!NOTE]
> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. > If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed.

7
windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -261,10 +261,9 @@ Hosted cache clients must trust the server certificate that is issued to the hos
<!-- EnableWindowsBranchCache_HostedCacheDiscovery-Description-Begin --> <!-- EnableWindowsBranchCache_HostedCacheDiscovery-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
- If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
- If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy.
When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances: When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances:

13
windows/client-management/mdm/policy-csp-admx-printing.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Printing Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -242,6 +242,7 @@ Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Opt
<!-- DomainPrinters-Description-Begin --> <!-- DomainPrinters-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) - If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.)
- If this policy setting is disabled, the network scan page will not be displayed. - If this policy setting is disabled, the network scan page will not be displayed.
@ -258,6 +259,7 @@ In order to view available Web Services printers on your network, ensure that ne
If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
In Windows 10 and later, only TCP/IP printers can be shown in the wizard. In Windows 10 and later, only TCP/IP printers can be shown in the wizard.
- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. - If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied.
In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
@ -577,7 +579,7 @@ Adds a link to an Internet or intranet Web page to the Add Printer Wizard.
You can use this setting to direct users to a Web page from which they can install printers. You can use this setting to direct users to a Web page from which they can install printers.
- If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers. If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers.
This setting makes it easy for users to find the printers you want them to add. This setting makes it easy for users to find the printers you want them to add.
@ -823,13 +825,14 @@ Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default
<!-- NoDeletePrinter-Description-Begin --> <!-- NoDeletePrinter-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If this policy setting is enabled, it prevents users from deleting local and network printers. - If this policy setting is enabled, it prevents users from deleting local and network printers.
If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action.
This setting does not prevent users from running other programs to delete a printer. This setting does not prevent users from running other programs to delete a printer.
If this policy is disabled, or not configured, users can delete printers using the methods described above. - If this policy is disabled, or not configured, users can delete printers using the methods described above.
<!-- NoDeletePrinter-Description-End --> <!-- NoDeletePrinter-Description-End -->
<!-- NoDeletePrinter-Editable-Begin --> <!-- NoDeletePrinter-Editable-Begin -->
@ -898,6 +901,7 @@ Shared printers: 50
If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
In Windows 10 and later, only TCP/IP printers can be shown in the wizard. In Windows 10 and later, only TCP/IP printers can be shown in the wizard.
- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. - If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied.
In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
@ -1204,6 +1208,7 @@ Windows Vista and later clients will attempt to make a non-package point and pri
<!-- PhysicalLocation-Description-Begin --> <!-- PhysicalLocation-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If this policy setting is enabled, it specifies the default location criteria used when searching for printers. - If this policy setting is enabled, it specifies the default location criteria used when searching for printers.
This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting.
@ -1463,7 +1468,7 @@ Specifies the Active Directory location where searches for printers begin.
The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. The Add Printer Wizard gives users the option of searching Active Directory for a shared printer.
- If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory.
This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory.
<!-- PrinterDirectorySearchScope-Description-End --> <!-- PrinterDirectorySearchScope-Description-End -->

6
windows/client-management/mdm/policy-csp-admx-printing2.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Printing2 Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -251,7 +251,7 @@ By default, the pruning service contacts computers every eight hours and allows
- If you enable this setting, you can change the interval between contact attempts. - If you enable this setting, you can change the interval between contact attempts.
If you do not configure or disable this setting the default values will be used. - If you do not configure or disable this setting the default values will be used.
> [!NOTE] > [!NOTE]
> This setting is used only on domain controllers. > This setting is used only on domain controllers.
@ -381,7 +381,7 @@ By default, the pruning service contacts computers every eight hours and allows
- If you enable this setting, you can change the interval between attempts. - If you enable this setting, you can change the interval between attempts.
If you do not configure or disable this setting, the default values are used. - If you do not configure or disable this setting, the default values are used.
> [!NOTE] > [!NOTE]
> This setting is used only on domain controllers. > This setting is used only on domain controllers.

12
windows/client-management/mdm/policy-csp-admx-programs.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Programs Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -46,7 +46,7 @@ This setting removes the Set Program Access and Defaults page from the Programs
The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations.
- If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users.
This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent users from using other tools and methods to change program access or defaults.
@ -177,7 +177,7 @@ This setting prevents users from accessing "Installed Updates" page from the "Vi
"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. "Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers.
- If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users.
This setting does not prevent users from using other tools and methods to install or uninstall programs. This setting does not prevent users from using other tools and methods to install or uninstall programs.
<!-- NoInstalledUpdates-Description-End --> <!-- NoInstalledUpdates-Description-End -->
@ -237,7 +237,7 @@ This setting does not prevent users from using other tools and methods to instal
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer.
- If this setting is disabled or not configured, "Programs and Features" will be available to all users. If this setting is disabled or not configured, "Programs and Features" will be available to all users.
This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace.
<!-- NoProgramsAndFeatures-Description-End --> <!-- NoProgramsAndFeatures-Description-End -->
@ -299,7 +299,7 @@ This setting prevents users from using the Programs Control Panel in Category Vi
The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel.
- If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users.
When enabled, this setting takes precedence over the other settings in this folder. When enabled, this setting takes precedence over the other settings in this folder.
@ -361,7 +361,7 @@ This setting does not prevent users from using other tools and methods to instal
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services.
- If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users.
This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. This setting does not prevent users from using other tools and methods to configure services or enable or disable program components.
<!-- NoWindowsFeatures-Description-End --> <!-- NoWindowsFeatures-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_PushToInstall Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -42,7 +42,7 @@ ms.topic: reference
<!-- DisablePushToInstall-Description-Begin --> <!-- DisablePushToInstall-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web.
<!-- DisablePushToInstall-Description-End --> <!-- DisablePushToInstall-Description-End -->
<!-- DisablePushToInstall-Editable-Begin --> <!-- DisablePushToInstall-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-rpc.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_RPC Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -273,7 +273,7 @@ This policy setting determines whether the RPC Runtime maintains RPC state infor
- If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information. - If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information.
- "None" indicates that the system does not maintain any RPC state information - "None" indicates that the system does not maintain any RPC state information.
> [!NOTE] > [!NOTE]
> Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations. > Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations.

18
windows/client-management/mdm/policy-csp-admx-sam.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_sam Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,19 +44,19 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability. This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.
For more information on the ROCA vulnerability, please see For more information on the ROCA vulnerability, please see:
<https//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361>
<https//en.wikipedia.org/wiki/ROCA_vulnerability> <https://en.wikipedia.org/wiki/ROCA_vulnerability>
- If you enable this policy setting the following options are supported If you enable this policy setting the following options are supported:
Ignore during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.
Audit during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).
Block during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).
This setting only takes effect on domain controllers. This setting only takes effect on domain controllers.
@ -66,7 +66,7 @@ A reboot is not required for changes to this setting to take effect.
**Note** to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. **Note** to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.
More information is available at <https//go.microsoft.com/fwlink/?linkid=2116430>. More information is available at< https://go.microsoft.com/fwlink/?linkid=2116430>.
<!-- SamNGCKeyROCAValidation-Description-End --> <!-- SamNGCKeyROCAValidation-Description-End -->
<!-- SamNGCKeyROCAValidation-Editable-Begin --> <!-- SamNGCKeyROCAValidation-Editable-Begin -->

20
windows/client-management/mdm/policy-csp-admx-settingsync.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_SettingSync Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -44,7 +44,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "app settings" group will not be synced. If you enable this policy setting, the "app settings" group will not be synced.
Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled. Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled.
@ -106,7 +106,7 @@ If you do not set or disable this setting, syncing of the "app settings" group i
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "AppSync" group will not be synced. If you enable this policy setting, the "AppSync" group will not be synced.
Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled. Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled.
@ -168,7 +168,7 @@ If you do not set or disable this setting, syncing of the "AppSync" group is on
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "passwords" group will not be synced. If you enable this policy setting, the "passwords" group will not be synced.
Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled. Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled.
@ -230,7 +230,7 @@ If you do not set or disable this setting, syncing of the "passwords" group is o
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "desktop personalization" group will not be synced. If you enable this policy setting, the "desktop personalization" group will not be synced.
Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled. Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled.
@ -292,7 +292,7 @@ If you do not set or disable this setting, syncing of the "desktop personalizati
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "personalize" group will not be synced. If you enable this policy setting, the "personalize" group will not be synced.
Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled. Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled.
@ -354,7 +354,7 @@ If you do not set or disable this setting, syncing of the "personalize" group is
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.
- If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.
Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled. Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled.
@ -416,7 +416,7 @@ If you do not set or disable this setting, "sync your settings" is on by default
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "Start layout" group will not be synced. If you enable this policy setting, the "Start layout" group will not be synced.
Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled. Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled.
@ -478,7 +478,7 @@ If you do not set or disable this setting, syncing of the "Start layout" group i
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.
- If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection.
If you do not set or disable this setting, syncing on metered connections is configurable by the user. If you do not set or disable this setting, syncing on metered connections is configurable by the user.
<!-- DisableSyncOnPaidNetwork-Description-End --> <!-- DisableSyncOnPaidNetwork-Description-End -->
@ -538,7 +538,7 @@ If you do not set or disable this setting, syncing on metered connections is con
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings.
- If you enable this policy setting, the "Other Windows settings" group will not be synced. If you enable this policy setting, the "Other Windows settings" group will not be synced.
Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled. Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled.

8
windows/client-management/mdm/policy-csp-admx-sharedfolders.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -31,7 +31,7 @@ ms.topic: reference
<!-- PublishDfsRoots-Applicability-Begin --> <!-- PublishDfsRoots-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | | :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- PublishDfsRoots-Applicability-End --> <!-- PublishDfsRoots-Applicability-End -->
<!-- PublishDfsRoots-OmaUri-Begin --> <!-- PublishDfsRoots-OmaUri-Begin -->
@ -46,7 +46,7 @@ This policy setting determines whether the user can publish DFS roots in Active
- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . - If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .
- If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled - If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled.
> [!NOTE] > [!NOTE]
> The default is to allow shared folders to be published when this setting is not configured. > The default is to allow shared folders to be published when this setting is not configured.
@ -109,7 +109,7 @@ This policy setting determines whether the user can publish shared folders in Ac
- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. - If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS.
- If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled - If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled.
> [!NOTE] > [!NOTE]
> The default is to allow shared folders to be published when this setting is not configured. > The default is to allow shared folders to be published when this setting is not configured.

4
windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Po
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -175,6 +175,7 @@ This policy setting only prevents users from running programs that are started b
> [!NOTE] > [!NOTE]
> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. > Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
> [!NOTE] > [!NOTE]
> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). > To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
<!-- DisallowApps-Description-End --> <!-- DisallowApps-Description-End -->
@ -242,6 +243,7 @@ This policy setting only prevents users from running programs that are started b
> [!NOTE] > [!NOTE]
> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. > Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
> [!NOTE] > [!NOTE]
> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). > To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
<!-- RestrictApps-Description-End --> <!-- RestrictApps-Description-End -->

12
windows/client-management/mdm/policy-csp-admx-smartcard.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Smartcard Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/23/2023 ms.date: 03/27/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -352,6 +352,7 @@ This policy setting allows you to manage the certificate propagation that occurs
<!-- CertPropRootCleanupString-Description-Begin --> <!-- CertPropRootCleanupString-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to manage the clean up behavior of root certificates. This policy setting allows you to manage the clean up behavior of root certificates.
- If you enable this policy setting then root certificate cleanup will occur according to the option selected. - If you enable this policy setting then root certificate cleanup will occur according to the option selected.
- If you disable or do not configure this setting then root certificate clean up will occur on log off. - If you disable or do not configure this setting then root certificate clean up will occur on log off.
<!-- CertPropRootCleanupString-Description-End --> <!-- CertPropRootCleanupString-Description-End -->
@ -413,7 +414,7 @@ This policy setting allows you to manage the root certificate propagation that o
- If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. - If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card.
> [!NOTE] > [!NOTE]
> For this policy setting to work the following policy setting must also be enabled Turn on certificate propagation from smart card. > For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card.
- If you disable this policy setting then root certificates will not be propagated from the smart card. - If you disable this policy setting then root certificates will not be propagated from the smart card.
<!-- CertPropRootEnabledString-Description-End --> <!-- CertPropRootEnabledString-Description-End -->
@ -542,6 +543,7 @@ This policy setting allows you to control whether elliptic curve cryptography (E
> [!NOTE] > [!NOTE]
> This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. > This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.
> [!NOTE] > [!NOTE]
> If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. > If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network.
<!-- EnumerateECCCerts-Description-End --> <!-- EnumerateECCCerts-Description-End -->
@ -606,7 +608,7 @@ During the certificate renewal period, a user can have multiple valid logon cert
If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown. If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown.
> [!NOTE] > [!NOTE]
> This setting will be applied after the following policy "Allow time invalid certificates" > This setting will be applied after the following policy: "Allow time invalid certificates"
- If you enable or do not configure this policy setting, filtering will take place. - If you enable or do not configure this policy setting, filtering will take place.
@ -794,9 +796,9 @@ This policy setting lets you reverse the subject name from how it is stored in t
By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.
- If you enable this policy setting or do not configure this setting, then the subject name will be reversed. If you enable this policy setting or do not configure this setting, then the subject name will be reversed.
If you disable, the subject name will be displayed as it appears in the certificate. If you disable , the subject name will be displayed as it appears in the certificate.
<!-- ReverseSubject-Description-End --> <!-- ReverseSubject-Description-End -->
<!-- ReverseSubject-Editable-Begin --> <!-- ReverseSubject-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-srmfci.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_srmfci Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -227,7 +227,7 @@ The Classification tab enables users to manually classify files by selecting pro
<!-- EnableShellAccessCheck-Description-Begin --> <!-- EnableShellAccessCheck-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types.
<!-- EnableShellAccessCheck-Description-End --> <!-- EnableShellAccessCheck-Description-End -->
<!-- EnableShellAccessCheck-Editable-Begin --> <!-- EnableShellAccessCheck-Editable-Begin -->

37
windows/client-management/mdm/policy-csp-admx-startmenu.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_StartMenu Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -42,6 +42,7 @@ ms.topic: reference
<!-- AddSearchInternetLinkInStartMenu-Description-Begin --> <!-- AddSearchInternetLinkInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. - If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.
- If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. - If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box.
@ -173,6 +174,7 @@ This policy also does not clear items that the user may have pinned to the Jump
<!-- ClearRecentProgForNewUserInStartMenu-Description-Begin --> <!-- ClearRecentProgForNewUserInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. - If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.
- If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. - If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.
@ -231,6 +233,7 @@ This policy also does not clear items that the user may have pinned to the Jump
<!-- ClearTilesOnExit-Description-Begin --> <!-- ClearTilesOnExit-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. - If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on.
- If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. - If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile.
@ -550,7 +553,7 @@ This setting makes it easier for users to distinguish between programs that are
Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use. Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use.
- If you disable this setting or do not configure it, all Start menu shortcuts appear as black text. If you disable this setting or do not configure it, all Start menu shortcuts appear as black text.
> [!NOTE] > [!NOTE]
> Enabling this setting can make the Start menu slow to open. > Enabling this setting can make the Start menu slow to open.
@ -673,7 +676,7 @@ Disables personalized menus.
Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu.
- If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect. If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect.
> [!NOTE] > [!NOTE]
> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. > Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting.
@ -868,7 +871,7 @@ The notification area is located in the task bar, generally at the bottom of the
- If you disable this setting, the system notification area will always collapse notifications. - If you disable this setting, the system notification area will always collapse notifications.
If you do not configure it, the user can choose if they want notifications collapsed. - If you do not configure it, the user can choose if they want notifications collapsed.
<!-- NoAutoTrayNotify-Description-End --> <!-- NoAutoTrayNotify-Description-End -->
<!-- NoAutoTrayNotify-Editable-Begin --> <!-- NoAutoTrayNotify-Editable-Begin -->
@ -1115,8 +1118,7 @@ This policy setting prevents users from performing the following commands from t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Removes items in the All Users profile from the Programs menu on the Start menu. Removes items in the All Users profile from the Programs menu on the Start menu.
By default, the Programs menu contains items from the All Users profile and items from the user's profile. By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.
- If you enable this setting, only items in the user's profile appear in the Programs menu.
> [!TIP] > [!TIP]
> To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. > To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.
@ -1311,6 +1313,7 @@ This policy setting affects the specified user interface elements only. It does
<!-- NoGamesFolderOnStartMenu-Description-Begin --> <!-- NoGamesFolderOnStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy the start menu will not show a link to the Games folder. - If you enable this policy the start menu will not show a link to the Games folder.
- If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. - If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel.
@ -1499,6 +1502,7 @@ This policy setting does not prevent users from pinning programs to the Start Me
<!-- NoMoreProgramsList-Description-Begin --> <!-- NoMoreProgramsList-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. - If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.
@ -1628,6 +1632,7 @@ Also, see the "Disable programs on Settings menu" and "Disable Control Panel" po
<!-- NoPinnedPrograms-Description-Begin --> <!-- NoPinnedPrograms-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. - If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu.
In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog.
@ -1692,7 +1697,7 @@ Removes the Recent Items menu from the Start menu. Removes the Documents menu fr
The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents.
- If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on. If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on.
If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu. If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu.
@ -1973,6 +1978,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchCommInStartMenu-Description-Begin --> <!-- NoSearchCommInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy the start menu search box will not search for communications. - If you enable this policy the start menu search box will not search for communications.
- If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. - If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel.
@ -2031,6 +2037,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchComputerLinkInStartMenu-Description-Begin --> <!-- NoSearchComputerLinkInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. - If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box.
- If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. - If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box.
@ -2089,6 +2096,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchEverywhereLinkInStartMenu-Description-Begin --> <!-- NoSearchEverywhereLinkInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. - If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
- If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. - If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
@ -2147,9 +2155,11 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchFilesInStartMenu-Description-Begin --> <!-- NoSearchFilesInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy setting the Start menu search box will not search for files. - If you enable this policy setting the Start menu search box will not search for files.
- If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. - If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel.
- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. - If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
<!-- NoSearchFilesInStartMenu-Description-End --> <!-- NoSearchFilesInStartMenu-Description-End -->
@ -2206,6 +2216,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchInternetInStartMenu-Description-Begin --> <!-- NoSearchInternetInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy the start menu search box will not search for internet history or favorites. - If you enable this policy the start menu search box will not search for internet history or favorites.
- If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. - If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel.
@ -2264,6 +2275,7 @@ Also, users with extended keyboards will no longer be able to display the Run di
<!-- NoSearchProgramsInStartMenu-Description-Begin --> <!-- NoSearchProgramsInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. - If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.
- If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. - If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel.
@ -2822,6 +2834,7 @@ This policy setting allows you to remove the Downloads link from the Start Menu.
<!-- NoStartMenuHomegroup-Description-Begin --> <!-- NoStartMenuHomegroup-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. - If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.
- If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. - If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.
@ -3194,7 +3207,7 @@ Taskbar grouping consolidates similar applications when there is no room on the
- If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. - If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled.
If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. - If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose.
<!-- NoTaskGrouping-Description-End --> <!-- NoTaskGrouping-Description-End -->
<!-- NoTaskGrouping-Editable-Begin --> <!-- NoTaskGrouping-Editable-Begin -->
@ -3447,9 +3460,10 @@ Description: The notification area is located at the far right end of the task b
<!-- NoUninstallFromStart-Description-Begin --> <!-- NoUninstallFromStart-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this setting, users cannot uninstall apps from Start. - If you enable this setting, users cannot uninstall apps from Start.
- If you disable this setting or do not configure it, users can access the uninstall command from Start - If you disable this setting or do not configure it, users can access the uninstall command from Start.
<!-- NoUninstallFromStart-Description-End --> <!-- NoUninstallFromStart-Description-End -->
<!-- NoUninstallFromStart-Editable-Begin --> <!-- NoUninstallFromStart-Editable-Begin -->
@ -3505,6 +3519,7 @@ Description: The notification area is located at the far right end of the task b
<!-- NoUserFolderOnStartMenu-Description-Begin --> <!-- NoUserFolderOnStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy the start menu will not show a link to the user's storage folder. - If you enable this policy the start menu will not show a link to the user's storage folder.
- If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. - If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.
@ -3629,7 +3644,7 @@ This policy setting allows you to remove links and access to Windows Update.
- If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. - If you enable this policy setting, users are prevented from connecting to the Windows Update Web site.
Enabling this policy setting blocks user access to the Windows Update Web site at <https://windowsupdate.microsoft.com>. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. Enabling this policy setting blocks user access to the Windows Update Web site at< https://windowsupdate.microsoft.com>. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.
Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download.
@ -3814,6 +3829,7 @@ This policy setting controls whether the QuickLaunch bar is displayed in the Tas
<!-- RemoveUnDockPCButton-Description-Begin --> <!-- RemoveUnDockPCButton-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. - If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.
- If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. - If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked.
@ -3995,6 +4011,7 @@ This policy setting shows or hides the "Run as different user" command on the St
<!-- ShowRunInStartMenu-Description-Begin --> <!-- ShowRunInStartMenu-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this setting, the Run command is added to the Start menu. - If you enable this setting, the Run command is added to the Start menu.
- If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. - If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect.
<!-- ShowRunInStartMenu-Description-End --> <!-- ShowRunInStartMenu-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Taskbar Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -416,7 +416,7 @@ This policy setting allows you to remove the volume control icon from the system
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to turn off feature advertisement balloon notifications. This policy setting allows you to turn off feature advertisement balloon notifications.
- If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown.
If you disable do not configure this policy setting, feature advertisement balloons are shown. If you disable do not configure this policy setting, feature advertisement balloons are shown.
<!-- NoBalloonFeatureAdvertisements-Description-End --> <!-- NoBalloonFeatureAdvertisements-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-tcpip.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_tcpip Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -535,7 +535,7 @@ This policy setting allows you to select the UDP port the Teredo client will use
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.
- If you disable or do not configure this policy setting, the local host setting is used. If you disable or do not configure this policy setting, the local host setting is used.
This policy setting contains only one state: This policy setting contains only one state:

43
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -239,7 +239,8 @@ This policy setting allows you to specify whether users can run Remote Desktop P
- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. - If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
> [!NOTE] > [!NOTE]
> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. > You can define this policy setting in the Computer Configuration node or in the User Configuration node.
- If you configure this policy setting for the computer, all users on the computer are affected.
<!-- TS_CLIENT_ALLOW_SIGNED_FILES_1-Description-End --> <!-- TS_CLIENT_ALLOW_SIGNED_FILES_1-Description-End -->
<!-- TS_CLIENT_ALLOW_SIGNED_FILES_1-Editable-Begin --> <!-- TS_CLIENT_ALLOW_SIGNED_FILES_1-Editable-Begin -->
@ -302,7 +303,8 @@ This policy setting allows you to specify whether users can run Remote Desktop P
- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. - If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
> [!NOTE] > [!NOTE]
> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. > You can define this policy setting in the Computer Configuration node or in the User Configuration node.
- If you configure this policy setting for the computer, all users on the computer are affected.
<!-- TS_CLIENT_ALLOW_SIGNED_FILES_2-Description-End --> <!-- TS_CLIENT_ALLOW_SIGNED_FILES_2-Description-End -->
<!-- TS_CLIENT_ALLOW_SIGNED_FILES_2-Editable-Begin --> <!-- TS_CLIENT_ALLOW_SIGNED_FILES_2-Editable-Begin -->
@ -863,8 +865,7 @@ By default, Remote Desktop Services automatically designates the client default
<!-- TS_CLIENT_DISABLE_HARDWARE_MODE-Description-Begin --> <!-- TS_CLIENT_DISABLE_HARDWARE_MODE-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available.
- If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available.
<!-- TS_CLIENT_DISABLE_HARDWARE_MODE-Description-End --> <!-- TS_CLIENT_DISABLE_HARDWARE_MODE-Description-End -->
<!-- TS_CLIENT_DISABLE_HARDWARE_MODE-Editable-Begin --> <!-- TS_CLIENT_DISABLE_HARDWARE_MODE-Editable-Begin -->
@ -924,7 +925,7 @@ Controls whether a user can save passwords using Remote Desktop Connection.
- If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. - If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
- If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection - If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
<!-- TS_CLIENT_DISABLE_PASSWORD_SAVING_1-Description-End --> <!-- TS_CLIENT_DISABLE_PASSWORD_SAVING_1-Description-End -->
<!-- TS_CLIENT_DISABLE_PASSWORD_SAVING_1-Editable-Begin --> <!-- TS_CLIENT_DISABLE_PASSWORD_SAVING_1-Editable-Begin -->
@ -1182,7 +1183,8 @@ This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA
**Note**: **Note**:
You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. You can define this policy setting in the Computer Configuration node or in the User Configuration node.
- If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.
This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.
@ -1249,7 +1251,8 @@ This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA
**Note**: **Note**:
You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. You can define this policy setting in the Computer Configuration node or in the User Configuration node.
- If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.
This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.
@ -1579,7 +1582,8 @@ This policy setting enables system administrators to change the graphics renderi
- If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. - If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default.
NOTE: The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting. > [!NOTE]
> The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting.
<!-- TS_DX_USE_FULL_HWGPU-Description-End --> <!-- TS_DX_USE_FULL_HWGPU-Description-End -->
<!-- TS_DX_USE_FULL_HWGPU-Editable-Begin --> <!-- TS_DX_USE_FULL_HWGPU-Editable-Begin -->
@ -1971,7 +1975,7 @@ Specifies the authentication method that clients must use when attempting to con
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.
- If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication.
<!-- TS_GATEWAY_POLICY_AUTH_METHOD-Description-End --> <!-- TS_GATEWAY_POLICY_AUTH_METHOD-Description-End -->
<!-- TS_GATEWAY_POLICY_AUTH_METHOD-Editable-Begin --> <!-- TS_GATEWAY_POLICY_AUTH_METHOD-Editable-Begin -->
@ -2026,6 +2030,7 @@ To allow users to overwrite this policy setting, select the "Allow users to chan
<!-- TS_GATEWAY_POLICY_ENABLE-Description-Begin --> <!-- TS_GATEWAY_POLICY_ENABLE-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. - If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
@ -2165,6 +2170,7 @@ If the policy setting is not configured, the policy setting is not specified at
**Note**: **Note**:
1. 1.
- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. - If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@ -2982,7 +2988,7 @@ This policy setting determines whether a user will be prompted on the client com
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs.
The default connection URL must be configured in the form of <https://contoso.com/rdweb/Feed/webfeed.aspx>. The default connection URL must be configured in the form of< https://contoso.com/rdweb/Feed/webfeed.aspx>.
- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. - If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.
@ -3106,6 +3112,7 @@ By default, when a new user signs in to a computer, the Start screen is shown an
<!-- TS_RemoteControl_1-Description-Begin --> <!-- TS_RemoteControl_1-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: - If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
@ -3171,6 +3178,7 @@ By default, when a new user signs in to a computer, the Start screen is shown an
<!-- TS_RemoteControl_2-Description-Begin --> <!-- TS_RemoteControl_2-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: - If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
@ -3242,8 +3250,7 @@ Depending on the requirements of your users, you can reduce network bandwidth us
If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality.
By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior).
- If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior).
<!-- TS_RemoteDesktopVirtualGraphics-Description-End --> <!-- TS_RemoteDesktopVirtualGraphics-Description-End -->
<!-- TS_RemoteDesktopVirtualGraphics-Editable-Begin --> <!-- TS_RemoteDesktopVirtualGraphics-Editable-Begin -->
@ -3573,7 +3580,7 @@ If you disable Continuous Network Detect, Remote Desktop Protocol will not try t
If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality.
- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality.
<!-- TS_SELECT_NETWORK_DETECT-Description-End --> <!-- TS_SELECT_NETWORK_DETECT-Description-End -->
<!-- TS_SELECT_NETWORK_DETECT-Editable-Begin --> <!-- TS_SELECT_NETWORK_DETECT-Editable-Begin -->
@ -3818,8 +3825,7 @@ Do not connect if authentication fails: The client establishes a connection to t
<!-- TS_SERVER_AVC_HW_ENCODE_PREFERRED-Description-Begin --> <!-- TS_SERVER_AVC_HW_ENCODE_PREFERRED-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding.
- If you disable or do not configure this policy, we will always use software encoding.
<!-- TS_SERVER_AVC_HW_ENCODE_PREFERRED-Description-End --> <!-- TS_SERVER_AVC_HW_ENCODE_PREFERRED-Description-End -->
<!-- TS_SERVER_AVC_HW_ENCODE_PREFERRED-Editable-Begin --> <!-- TS_SERVER_AVC_HW_ENCODE_PREFERRED-Editable-Begin -->
@ -3995,9 +4001,13 @@ You can also choose not to use an RDP compression algorithm. Choosing not to use
<!-- TS_SERVER_IMAGE_QUALITY-Description-Begin --> <!-- TS_SERVER_IMAGE_QUALITY-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered.
- If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. - If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes.
- If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. - If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality.
- If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. - If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth.
- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. - If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only.
- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. - If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images.
<!-- TS_SERVER_IMAGE_QUALITY-Description-End --> <!-- TS_SERVER_IMAGE_QUALITY-Description-End -->
@ -4055,6 +4065,7 @@ This policy setting allows you to specify the visual quality for remote users wh
<!-- TS_SERVER_LEGACY_RFX-Description-Begin --> <!-- TS_SERVER_LEGACY_RFX-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.
- If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. - If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec.
- If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions. - If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
<!-- TS_SERVER_LEGACY_RFX-Description-End --> <!-- TS_SERVER_LEGACY_RFX-Description-End -->

4
windows/client-management/mdm/policy-csp-admx-tpm.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_TPM Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -342,7 +342,7 @@ This policy setting configures how much of the TPM owner authorization informati
You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none.
- If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose.
Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used. Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used.

131
windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_UserExperienceVirtualization Area in Poli
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -48,6 +48,7 @@ ms.topic: reference
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings of Calculator. This policy setting configures the synchronization of user settings of Calculator.
By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers.
- If you enable this policy setting, the Calculator user settings continue to synchronize. - If you enable this policy setting, the Calculator user settings continue to synchronize.
- If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. - If you disable this policy setting, Calculator user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -175,6 +176,7 @@ With notifications enabled, UE-V users receive a message when the settings sync
<!-- ConfigureVdi-Description-Begin --> <!-- ConfigureVdi-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to "last-known-good" configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to "last-known-good" configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers.
- If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. - If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login.
- If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. - If you disable this policy setting, no UE-V rollback state is copied to the settings storage location.
- If you do not configure this policy, no UE-V rollback state is copied to the settings storage location. - If you do not configure this policy, no UE-V rollback state is copied to the settings storage location.
@ -234,6 +236,7 @@ This policy setting configures the synchronization of User Experience Virtualiza
<!-- ContactITDescription-Description-Begin --> <!-- ContactITDescription-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.
- If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. - If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL.
- If you disable this policy setting, the Company Settings Center does not display an IT Contact link. - If you disable this policy setting, the Company Settings Center does not display an IT Contact link.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -292,6 +295,7 @@ This policy setting specifies the text of the Contact IT URL hyperlink in the Co
<!-- ContactITUrl-Description-Begin --> <!-- ContactITUrl-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting specifies the URL for the Contact IT link in the Company Settings Center. This policy setting specifies the URL for the Contact IT link in the Company Settings Center.
- If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. - If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto.
- If you disable this policy setting, the Company Settings Center does not display an IT Contact link. - If you disable this policy setting, the Company Settings Center does not display an IT Contact link.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -355,9 +359,11 @@ This policy setting specifies the URL for the Contact IT link in the Company Set
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.
By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location.
- If you enable this policy setting, the UE-V Agent will not synchronize settings for Windows apps. - If you enable this policy setting, the UE-V Agent will not synchronize settings for Windows apps.
- If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. - If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps.
- If you do not configure this policy setting, any defined values are deleted. - If you do not configure this policy setting, any defined values are deleted.
> [!NOTE] > [!NOTE]
> If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. > If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows.
<!-- DisableWin8Sync-Description-End --> <!-- DisableWin8Sync-Description-End -->
@ -421,6 +427,7 @@ By default, the UE-V Agent synchronizes settings for Windows apps between the co
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of Windows settings between computers. This policy setting configures the synchronization of Windows settings between computers.
Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates.
- If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. - If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization.
- If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. - If you disable this policy setting, all Windows Settings are excluded from the settings synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -540,6 +547,7 @@ This policy setting allows you to enable or disable User Experience Virtualizati
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Finance app. This policy setting configures the synchronization of user settings for the Finance app.
By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers.
- If you enable this policy setting, Finance user settings continue to sync. - If you enable this policy setting, Finance user settings continue to sync.
- If you disable this policy setting, Finance user settings are excluded from synchronization. - If you disable this policy setting, Finance user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -602,7 +610,7 @@ This policy setting enables a notification in the system tray that appears when
By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers.
With this setting enabled, the notification appears the first time that the UE-V Agent runs. With this setting enabled, the notification appears the first time that the UE-V Agent runs.
With this setting disabled, no notification appears. With this setting disabled, no notification appears.
- If you do not configure this policy setting, any defined values are deleted. If you do not configure this policy setting, any defined values are deleted.
<!-- FirstUseNotificationEnabled-Description-End --> <!-- FirstUseNotificationEnabled-Description-End -->
<!-- FirstUseNotificationEnabled-Editable-Begin --> <!-- FirstUseNotificationEnabled-Editable-Begin -->
@ -664,6 +672,7 @@ With this setting disabled, no notification appears.
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Games app. This policy setting configures the synchronization of user settings for the Games app.
By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers.
- If you enable this policy setting, Games user settings continue to sync. - If you enable this policy setting, Games user settings continue to sync.
- If you disable this policy setting, Games user settings are excluded from synchronization. - If you disable this policy setting, Games user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -728,6 +737,7 @@ By default, the user settings of Games sync between computers. Use the policy se
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings of Internet Explorer 10. This policy setting configures the synchronization of user settings of Internet Explorer 10.
By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers.
- If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. - If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize.
- If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. - If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -792,6 +802,7 @@ By default, the user settings of Internet Explorer 10 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings of Internet Explorer 11. This policy setting configures the synchronization of user settings of Internet Explorer 11.
By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers.
- If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. - If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize.
- If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. - If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -856,6 +867,7 @@ By default, the user settings of Internet Explorer 11 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Internet Explorer 8. This policy setting configures the synchronization of user settings for Internet Explorer 8.
By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers.
- If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. - If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize.
- If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. - If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -920,6 +932,7 @@ By default, the user settings of Internet Explorer 8 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Internet Explorer 9. This policy setting configures the synchronization of user settings for Internet Explorer 9.
By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers.
- If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. - If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize.
- If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. - If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -984,6 +997,7 @@ By default, the user settings of Internet Explorer 9 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer.
By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers.
- If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. - If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize.
- If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled. - If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1047,6 +1061,7 @@ By default, the user settings which are common between the versions of Internet
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Maps app. This policy setting configures the synchronization of user settings for the Maps app.
By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers.
- If you enable this policy setting, Maps user settings continue to sync. - If you enable this policy setting, Maps user settings continue to sync.
- If you disable this policy setting, Maps user settings are excluded from synchronization. - If you disable this policy setting, Maps user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1110,6 +1125,7 @@ By default, the user settings of Maps sync between computers. Use the policy set
<!-- MaxPackageSizeInBytes-Description-Begin --> <!-- MaxPackageSizeInBytes-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size.
- If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. - If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log.
- If you disable or do not configure this policy setting, no event is written to the event log to report settings package size. - If you disable or do not configure this policy setting, no event is written to the event log to report settings package size.
<!-- MaxPackageSizeInBytes-Description-End --> <!-- MaxPackageSizeInBytes-Description-End -->
@ -1172,6 +1188,7 @@ This policy setting allows you to configure the UE-V Agent to write a warning ev
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Access 2010. This policy setting configures the synchronization of user settings for Microsoft Access 2010.
By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1235,6 +1252,7 @@ By default, the user settings of Microsoft Access 2010 synchronize between compu
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications.
By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers.
- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. - If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize.
- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1298,6 +1316,7 @@ By default, the user settings which are common between the Microsoft Office Suit
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Excel 2010. This policy setting configures the synchronization of user settings for Microsoft Excel 2010.
By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1361,6 +1380,7 @@ By default, the user settings of Microsoft Excel 2010 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010.
By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1424,6 +1444,7 @@ By default, the user settings of Microsoft InfoPath 2010 synchronize between com
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Lync 2010. This policy setting configures the synchronization of user settings for Microsoft Lync 2010.
By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1488,6 +1509,7 @@ By default, the user settings of Microsoft Lync 2010 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010.
By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1551,6 +1573,7 @@ By default, the user settings of Microsoft OneNote 2010 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010.
By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1614,6 +1637,7 @@ By default, the user settings of Microsoft Outlook 2010 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010.
By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1677,6 +1701,7 @@ By default, the user settings of Microsoft PowerPoint 2010 synchronize between c
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Project 2010. This policy setting configures the synchronization of user settings for Microsoft Project 2010.
By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1740,6 +1765,7 @@ By default, the user settings of Microsoft Project 2010 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010.
By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1803,6 +1829,7 @@ By default, the user settings of Microsoft Publisher 2010 synchronize between co
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010.
By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1866,6 +1893,7 @@ By default, the user settings of Microsoft SharePoint Designer 2010 synchronize
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010.
By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1929,6 +1957,7 @@ By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Visio 2010. This policy setting configures the synchronization of user settings for Microsoft Visio 2010.
By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -1992,6 +2021,7 @@ By default, the user settings of Microsoft Visio 2010 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Word 2010. This policy setting configures the synchronization of user settings for Microsoft Word 2010.
By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers.
- If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. - If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2055,6 +2085,7 @@ By default, the user settings of Microsoft Word 2010 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Access 2013. This policy setting configures the synchronization of user settings for Microsoft Access 2013.
By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2118,6 +2149,7 @@ By default, the user settings of Microsoft Access 2013 synchronize between compu
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Access 2013. This policy setting configures the backup of certain user settings for Microsoft Access 2013.
Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Access 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Access 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2181,6 +2213,7 @@ Microsoft Access 2013 has user settings that are backed up instead of synchroniz
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications.
By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.
- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. - If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize.
- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled. - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2244,6 +2277,7 @@ By default, the user settings which are common between the Microsoft Office Suit
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications.
Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications.
- If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. - If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up.
- If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will not be backed up. - If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2307,6 +2341,7 @@ Microsoft Office Suite 2013 has user settings which are common between applicati
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Excel 2013. This policy setting configures the synchronization of user settings for Microsoft Excel 2013.
By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2370,6 +2405,7 @@ By default, the user settings of Microsoft Excel 2013 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Excel 2013. This policy setting configures the backup of certain user settings for Microsoft Excel 2013.
Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Excel 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Excel 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2433,6 +2469,7 @@ Microsoft Excel 2013 has user settings that are backed up instead of synchronizi
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013.
By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2496,6 +2533,7 @@ By default, the user settings of Microsoft InfoPath 2013 synchronize between com
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013.
Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2559,6 +2597,7 @@ Microsoft InfoPath 2013 has user settings that are backed up instead of synchron
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Lync 2013. This policy setting configures the synchronization of user settings for Microsoft Lync 2013.
By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2622,6 +2661,7 @@ By default, the user settings of Microsoft Lync 2013 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Lync 2013. This policy setting configures the backup of certain user settings for Microsoft Lync 2013.
Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Lync 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Lync 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2685,6 +2725,7 @@ Microsoft Lync 2013 has user settings that are backed up instead of synchronizin
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for OneDrive for Business 2013. This policy setting configures the synchronization of user settings for OneDrive for Business 2013.
By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers.
- If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. - If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize.
- If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2748,6 +2789,7 @@ By default, the user settings of OneDrive for Business 2013 synchronize between
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013.
By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2811,6 +2853,7 @@ By default, the user settings of Microsoft OneNote 2013 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013.
Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft OneNote 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft OneNote 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2874,6 +2917,7 @@ Microsoft OneNote 2013 has user settings that are backed up instead of synchroni
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013.
By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -2937,6 +2981,7 @@ By default, the user settings of Microsoft Outlook 2013 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013.
Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Outlook 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Outlook 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3000,6 +3045,7 @@ Microsoft Outlook 2013 has user settings that are backed up instead of synchroni
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013.
By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3063,6 +3109,7 @@ By default, the user settings of Microsoft PowerPoint 2013 synchronize between c
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013.
Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3126,6 +3173,7 @@ Microsoft PowerPoint 2013 has user settings that are backed up instead of synchr
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Project 2013. This policy setting configures the synchronization of user settings for Microsoft Project 2013.
By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3189,6 +3237,7 @@ By default, the user settings of Microsoft Project 2013 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Project 2013. This policy setting configures the backup of certain user settings for Microsoft Project 2013.
Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Project 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Project 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3252,6 +3301,7 @@ Microsoft Project 2013 has user settings that are backed up instead of synchroni
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013.
By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3315,6 +3365,7 @@ By default, the user settings of Microsoft Publisher 2013 synchronize between co
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013.
Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Publisher 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Publisher 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3378,6 +3429,7 @@ Microsoft Publisher 2013 has user settings that are backed up instead of synchro
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013.
By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3441,6 +3493,7 @@ By default, the user settings of Microsoft SharePoint Designer 2013 synchronize
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013.
Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3504,6 +3557,7 @@ Microsoft SharePoint Designer 2013 has user settings that are backed up instead
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center.
By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.
- If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. - If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize.
- If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3567,6 +3621,7 @@ By default, the user settings of Microsoft Office 2013 Upload Center synchronize
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Visio 2013. This policy setting configures the synchronization of user settings for Microsoft Visio 2013.
By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3630,6 +3685,7 @@ By default, the user settings of Microsoft Visio 2013 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Visio 2013. This policy setting configures the backup of certain user settings for Microsoft Visio 2013.
Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Visio 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Visio 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3693,6 +3749,7 @@ Microsoft Visio 2013 has user settings that are backed up instead of synchronizi
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Word 2013. This policy setting configures the synchronization of user settings for Microsoft Word 2013.
By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers.
- If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. - If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3756,6 +3813,7 @@ By default, the user settings of Microsoft Word 2013 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Word 2013. This policy setting configures the backup of certain user settings for Microsoft Word 2013.
Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings.
- If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Word 2013 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Word 2013 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3819,6 +3877,7 @@ Microsoft Word 2013 has user settings that are backed up instead of synchronizin
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Access 2016. This policy setting configures the synchronization of user settings for Microsoft Access 2016.
By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3882,6 +3941,7 @@ By default, the user settings of Microsoft Access 2016 synchronize between compu
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Access 2016. This policy setting configures the backup of certain user settings for Microsoft Access 2016.
Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Access 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Access 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -3945,6 +4005,7 @@ Microsoft Access 2016 has user settings that are backed up instead of synchroniz
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications.
By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.
- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. - If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize.
- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled. - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4008,6 +4069,7 @@ By default, the user settings which are common between the Microsoft Office Suit
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications.
Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications.
- If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. - If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up.
- If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will not be backed up. - If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4071,6 +4133,7 @@ Microsoft Office Suite 2016 has user settings which are common between applicati
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Excel 2016. This policy setting configures the synchronization of user settings for Microsoft Excel 2016.
By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4134,6 +4197,7 @@ By default, the user settings of Microsoft Excel 2016 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Excel 2016. This policy setting configures the backup of certain user settings for Microsoft Excel 2016.
Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Excel 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Excel 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4197,6 +4261,7 @@ Microsoft Excel 2016 has user settings that are backed up instead of synchronizi
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Lync 2016. This policy setting configures the synchronization of user settings for Microsoft Lync 2016.
By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4260,6 +4325,7 @@ By default, the user settings of Microsoft Lync 2016 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Lync 2016. This policy setting configures the backup of certain user settings for Microsoft Lync 2016.
Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Lync 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Lync 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4323,6 +4389,7 @@ Microsoft Lync 2016 has user settings that are backed up instead of synchronizin
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for OneDrive for Business 2016. This policy setting configures the synchronization of user settings for OneDrive for Business 2016.
By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers.
- If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. - If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize.
- If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4386,6 +4453,7 @@ By default, the user settings of OneDrive for Business 2016 synchronize between
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016.
By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4449,6 +4517,7 @@ By default, the user settings of Microsoft OneNote 2016 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016.
Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft OneNote 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft OneNote 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4512,6 +4581,7 @@ Microsoft OneNote 2016 has user settings that are backed up instead of synchroni
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016.
By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4575,6 +4645,7 @@ By default, the user settings of Microsoft Outlook 2016 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016.
Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Outlook 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Outlook 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4638,6 +4709,7 @@ Microsoft Outlook 2016 has user settings that are backed up instead of synchroni
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016.
By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4701,6 +4773,7 @@ By default, the user settings of Microsoft PowerPoint 2016 synchronize between c
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016.
Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4764,6 +4837,7 @@ Microsoft PowerPoint 2016 has user settings that are backed up instead of synchr
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Project 2016. This policy setting configures the synchronization of user settings for Microsoft Project 2016.
By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4827,6 +4901,7 @@ By default, the user settings of Microsoft Project 2016 synchronize between comp
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Project 2016. This policy setting configures the backup of certain user settings for Microsoft Project 2016.
Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Project 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Project 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4890,6 +4965,7 @@ Microsoft Project 2016 has user settings that are backed up instead of synchroni
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016.
By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -4953,6 +5029,7 @@ By default, the user settings of Microsoft Publisher 2016 synchronize between co
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016.
Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Publisher 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Publisher 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5016,6 +5093,7 @@ Microsoft Publisher 2016 has user settings that are backed up instead of synchro
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center.
By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.
- If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. - If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize.
- If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5079,6 +5157,7 @@ By default, the user settings of Microsoft Office 2016 Upload Center synchronize
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Visio 2016. This policy setting configures the synchronization of user settings for Microsoft Visio 2016.
By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5142,6 +5221,7 @@ By default, the user settings of Microsoft Visio 2016 synchronize between comput
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Visio 2016. This policy setting configures the backup of certain user settings for Microsoft Visio 2016.
Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Visio 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Visio 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5205,6 +5285,7 @@ Microsoft Visio 2016 has user settings that are backed up instead of synchronizi
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Word 2016. This policy setting configures the synchronization of user settings for Microsoft Word 2016.
By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers.
- If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. - If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize.
- If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. - If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5268,6 +5349,7 @@ By default, the user settings of Microsoft Word 2016 synchronize between compute
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the backup of certain user settings for Microsoft Word 2016. This policy setting configures the backup of certain user settings for Microsoft Word 2016.
Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings.
- If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. - If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up.
- If you disable this policy setting, certain user settings of Microsoft Word 2016 will not be backed up. - If you disable this policy setting, certain user settings of Microsoft Word 2016 will not be backed up.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5331,6 +5413,7 @@ Microsoft Word 2016 has user settings that are backed up instead of synchronizin
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5394,6 +5477,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5457,6 +5541,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.
- If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. - If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V.
- If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. - If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5520,6 +5605,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.
- If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. - If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V.
- If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. - If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5583,6 +5669,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5646,6 +5733,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5709,6 +5797,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5772,6 +5861,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5835,6 +5925,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5898,6 +5989,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -5961,6 +6053,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6024,6 +6117,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6087,6 +6181,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6150,6 +6245,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6213,6 +6309,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6276,6 +6373,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6339,6 +6437,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6402,6 +6501,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6465,6 +6565,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6528,6 +6629,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6591,6 +6693,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6654,6 +6757,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6717,6 +6821,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6780,6 +6885,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016.
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.
- If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. - If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V.
- If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. - If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6843,6 +6949,7 @@ Microsoft Office 365 synchronizes certain settings by default without UE-V. If t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Music app. This policy setting configures the synchronization of user settings for the Music app.
By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers.
- If you enable this policy setting, Music user settings continue to sync. - If you enable this policy setting, Music user settings continue to sync.
- If you disable this policy setting, Music user settings are excluded from the synchronizing settings. - If you disable this policy setting, Music user settings are excluded from the synchronizing settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6907,6 +7014,7 @@ By default, the user settings of Music sync between computers. Use the policy se
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the News app. This policy setting configures the synchronization of user settings for the News app.
By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers.
- If you enable this policy setting, News user settings continue to sync. - If you enable this policy setting, News user settings continue to sync.
- If you disable this policy setting, News user settings are excluded from synchronization. - If you disable this policy setting, News user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -6971,6 +7079,7 @@ By default, the user settings of News sync between computers. Use the policy set
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings of Notepad. This policy setting configures the synchronization of user settings of Notepad.
By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers.
- If you enable this policy setting, the Notepad user settings continue to synchronize. - If you enable this policy setting, the Notepad user settings continue to synchronize.
- If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. - If you disable this policy setting, Notepad user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -7035,6 +7144,7 @@ By default, the user settings of Notepad synchronize between computers. Use the
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Reader app. This policy setting configures the synchronization of user settings for the Reader app.
By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers.
- If you enable this policy setting, Reader user settings continue to sync. - If you enable this policy setting, Reader user settings continue to sync.
- If you disable this policy setting, Reader user settings are excluded from the synchronization. - If you disable this policy setting, Reader user settings are excluded from the synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -7099,6 +7209,7 @@ By default, the user settings of Reader sync between computers. Use the policy s
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location.
You can use this setting to override the default value of 2000 milliseconds. You can use this setting to override the default value of 2000 milliseconds.
- If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. - If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings.
- If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used. - If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used.
<!-- RepositoryTimeout-Description-End --> <!-- RepositoryTimeout-Description-End -->
@ -7160,6 +7271,7 @@ You can use this setting to override the default value of 2000 milliseconds.
<!-- SettingsStoragePath-Description-Begin --> <!-- SettingsStoragePath-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures where the settings package files that contain user settings are stored. This policy setting configures where the settings package files that contain user settings are stored.
- If you enable this policy setting, the user settings are stored in the specified location. - If you enable this policy setting, the user settings are stored in the specified location.
- If you disable or do not configure this policy setting, the user settings are stored in the user's home directory if configured for your environment. - If you disable or do not configure this policy setting, the user settings are stored in the user's home directory if configured for your environment.
<!-- SettingsStoragePath-Description-End --> <!-- SettingsStoragePath-Description-End -->
@ -7217,6 +7329,7 @@ This policy setting configures where the settings package files that contain use
<!-- SettingsTemplateCatalogPath-Description-Begin --> <!-- SettingsTemplateCatalogPath-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent.
- If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. - If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored. If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored.
If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used. If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used.
@ -7283,6 +7396,7 @@ If you specify a UNC path and check the option to replace the default Microsoft
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Sports app. This policy setting configures the synchronization of user settings for the Sports app.
By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers.
- If you enable this policy setting, Sports user settings continue to sync. - If you enable this policy setting, Sports user settings continue to sync.
- If you disable this policy setting, Sports user settings are excluded from synchronization. - If you disable this policy setting, Sports user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -7409,7 +7523,7 @@ This policy setting defines whether the User Experience Virtualization (UE-V) Ag
By default, the UE-V Agent does not synchronize settings over a metered connection. By default, the UE-V Agent does not synchronize settings over a metered connection.
With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection.
With this setting disabled, the UE-V Agent does not synchronize settings over a metered connection. With this setting disabled, the UE-V Agent does not synchronize settings over a metered connection.
- If you do not configure this policy setting, any defined values are deleted. If you do not configure this policy setting, any defined values are deleted.
<!-- SyncOverMeteredNetwork-Description-End --> <!-- SyncOverMeteredNetwork-Description-End -->
<!-- SyncOverMeteredNetwork-Editable-Begin --> <!-- SyncOverMeteredNetwork-Editable-Begin -->
@ -7473,7 +7587,7 @@ This policy setting defines whether the User Experience Virtualization (UE-V) Ag
By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming.
With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming.
With this setting disabled, the UE-V Agent will not synchronize settings over a metered connection that is roaming. With this setting disabled, the UE-V Agent will not synchronize settings over a metered connection that is roaming.
- If you do not configure this policy setting, any defined values are deleted. If you do not configure this policy setting, any defined values are deleted.
<!-- SyncOverMeteredNetworkWhenRoaming-Description-End --> <!-- SyncOverMeteredNetworkWhenRoaming-Description-End -->
<!-- SyncOverMeteredNetworkWhenRoaming-Editable-Begin --> <!-- SyncOverMeteredNetworkWhenRoaming-Editable-Begin -->
@ -7534,6 +7648,7 @@ With this setting disabled, the UE-V Agent will not synchronize settings over a
<!-- SyncProviderPingEnabled-Description-Begin --> <!-- SyncProviderPingEnabled-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn't attempt the synchronization. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn't attempt the synchronization.
- If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. - If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages.
- If you disable this policy setting, the sync provider doesn't ping the settings storage location before synchronizing settings packages. - If you disable this policy setting, the sync provider doesn't ping the settings storage location before synchronizing settings packages.
- If you do not configure this policy, any defined values will be deleted. - If you do not configure this policy, any defined values will be deleted.
@ -7596,7 +7711,7 @@ This policy setting defines the default settings sync behavior of the User Exper
By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List.
With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized.
With this setting disabled, only the settings of the Windows apps set to synchronize in the Windows App List are synchronized. With this setting disabled, only the settings of the Windows apps set to synchronize in the Windows App List are synchronized.
- If you do not configure this policy setting, any defined values are deleted. If you do not configure this policy setting, any defined values are deleted.
<!-- SyncUnlistedWindows8Apps-Description-End --> <!-- SyncUnlistedWindows8Apps-Description-End -->
<!-- SyncUnlistedWindows8Apps-Editable-Begin --> <!-- SyncUnlistedWindows8Apps-Editable-Begin -->
@ -7658,6 +7773,7 @@ With this setting disabled, only the settings of the Windows apps set to synchro
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Travel app. This policy setting configures the synchronization of user settings for the Travel app.
By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers.
- If you enable this policy setting, Travel user settings continue to sync. - If you enable this policy setting, Travel user settings continue to sync.
- If you disable this policy setting, Travel user settings are excluded from synchronization. - If you disable this policy setting, Travel user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -7718,7 +7834,7 @@ By default, the user settings of Travel sync between computers. Use the policy s
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon.
With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen.
- If you do not configure this policy setting, any defined values are deleted. If you do not configure this policy setting, any defined values are deleted.
<!-- TrayIconEnabled-Description-End --> <!-- TrayIconEnabled-Description-End -->
<!-- TrayIconEnabled-Editable-Begin --> <!-- TrayIconEnabled-Editable-Begin -->
@ -7780,6 +7896,7 @@ With this setting disabled, the tray icon does not appear in the system tray, UE
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Video app. This policy setting configures the synchronization of user settings for the Video app.
By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers.
- If you enable this policy setting, Video user settings continue to sync. - If you enable this policy setting, Video user settings continue to sync.
- If you disable this policy setting, Video user settings are excluded from synchronization. - If you disable this policy setting, Video user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -7844,6 +7961,7 @@ By default, the user settings of Video sync between computers. Use the policy se
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings for the Weather app. This policy setting configures the synchronization of user settings for the Weather app.
By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers.
- If you enable this policy setting, Weather user settings continue to sync. - If you enable this policy setting, Weather user settings continue to sync.
- If you disable this policy setting, Weather user settings are excluded from synchronization. - If you disable this policy setting, Weather user settings are excluded from synchronization.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.
@ -7908,6 +8026,7 @@ By default, the user settings of Weather sync between computers. Use the policy
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures the synchronization of user settings of WordPad. This policy setting configures the synchronization of user settings of WordPad.
By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers.
- If you enable this policy setting, the WordPad user settings continue to synchronize. - If you enable this policy setting, the WordPad user settings continue to synchronize.
- If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. - If you disable this policy setting, WordPad user settings are excluded from the synchronization settings.
- If you do not configure this policy setting, any defined values will be deleted. - If you do not configure this policy setting, any defined values will be deleted.

8
windows/client-management/mdm/policy-csp-admx-userprofiles.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -42,7 +42,7 @@ ms.topic: reference
<!-- CleanupProfiles-Description-Begin --> <!-- CleanupProfiles-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days.
> [!NOTE] > [!NOTE]
> One day is interpreted as 24 hours after a specific user profile was accessed. > One day is interpreted as 24 hours after a specific user profile was accessed.
@ -373,7 +373,7 @@ This policy setting and related policy settings in this folder together define t
- If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. - If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow.
- If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections - If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.
> [!IMPORTANT] > [!IMPORTANT]
> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. > If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
@ -507,7 +507,7 @@ This setting prevents users from managing the ability to allow apps to access th
"Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. "Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources.
If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. - If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.
<!-- UserInfoAccessAction-Description-End --> <!-- UserInfoAccessAction-Description-End -->
<!-- UserInfoAccessAction-Editable-Begin --> <!-- UserInfoAccessAction-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-w32time.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_W32Time Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -46,7 +46,7 @@ This policy setting allows you to specify Clock discipline and General values fo
- If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. - If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values.
For more details on individual parameters, combinations of parameter values as well as definitions of flags, see <https://go.microsoft.com/fwlink/?linkid=847809>. For more details on individual parameters, combinations of parameter values as well as definitions of flags, see< https://go.microsoft.com/fwlink/?linkid=847809>.
FrequencyCorrectRate FrequencyCorrectRate
This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause larger corrections; larger values cause smaller corrections. Default: 4 (scalar). This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause larger corrections; larger values cause smaller corrections. Default: 4 (scalar).

8
windows/client-management/mdm/policy-csp-admx-wcm.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_WCM Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -109,9 +109,9 @@ This policy setting determines whether Windows will soft-disconnect a computer f
- If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. - If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network.
When soft disconnect is enabled: When soft disconnect is enabled:
- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. - When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted.
- Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection. - Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection.
- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they're not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network. - When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they're not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network.
This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks. This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks.
<!-- WCM_EnableSoftDisconnect-Description-End --> <!-- WCM_EnableSoftDisconnect-Description-End -->

23
windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/10/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -357,6 +357,7 @@ This disables access to user-defined properties, and properties stored in NTFS s
<!-- DisableIndexedLibraryExperience-Description-Begin --> <!-- DisableIndexedLibraryExperience-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly.
- If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. - If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations.
Setting this policy will: Setting this policy will:
* Disable all Arrangement views except for "By Folder" * Disable all Arrangement views except for "By Folder"
@ -681,8 +682,7 @@ For more information, see [Microsoft Defender SmartScreen](/windows/security/thr
<!-- EnforceShellExtensionSecurity-Description-Begin --> <!-- EnforceShellExtensionSecurity-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This setting is designed to ensure that shell extensions can operate on a per-user basis. This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine.
- If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine.
A shell extension only runs if there is an entry in at least one of the following locations in registry. A shell extension only runs if there is an entry in at least one of the following locations in registry.
@ -749,6 +749,7 @@ For shell extensions to run on a per-user basis, there must be an entry at HKEY_
<!-- ExplorerRibbonStartsMinimized-Description-Begin --> <!-- ExplorerRibbonStartsMinimized-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened.
- If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. - If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows.
- If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. - If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows.
<!-- ExplorerRibbonStartsMinimized-Description-End --> <!-- ExplorerRibbonStartsMinimized-Description-End -->
@ -2776,7 +2777,7 @@ Also, see the "Prevent access to drives from My Computer" policy setting.
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations.
- If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option.
This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box. This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.
@ -2900,6 +2901,7 @@ This setting does not prevent users from using other methods to perform tasks av
Removes the list of most recently used files from the Open dialog box. Removes the list of most recently used files from the Open dialog box.
- If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. - If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files.
- If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. - If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box.
This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.
@ -3213,7 +3215,7 @@ When a Windows client is in a workgroup, a Shared Documents icon appears in the
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevents users from using File Explorer or Network Locations to map or disconnect network drives. Prevents users from using File Explorer or Network Locations to map or disconnect network drives.
- If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons.
This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box.
@ -3465,6 +3467,7 @@ Prevents users from submitting alternate logon credentials to install a program.
This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.
Many programs can be installed only by an administrator. Many programs can be installed only by an administrator.
- If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. - If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.
- If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. - If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer.
@ -3525,6 +3528,7 @@ By default, users are not prompted for alternate logon credentials when installi
<!-- NoSearchInternetTryHarderButton-Description-Begin --> <!-- NoSearchInternetTryHarderButton-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
- If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. - If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window.
- If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. - If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms.
@ -3714,6 +3718,7 @@ This policy setting does not affect the Search items on the File Explorer contex
<!-- NoStrCmpLogical-Description-Begin --> <!-- NoStrCmpLogical-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order.
- If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). - If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3).
- If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). - If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111).
<!-- NoStrCmpLogical-Description-End --> <!-- NoStrCmpLogical-Description-End -->
@ -3773,7 +3778,7 @@ This policy setting allows you to have file names sorted literally (as in Window
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item.
- If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus.
<!-- NoViewContextMenu-Description-End --> <!-- NoViewContextMenu-Description-End -->
<!-- NoViewContextMenu-Editable-Begin --> <!-- NoViewContextMenu-Editable-Begin -->
@ -3831,7 +3836,7 @@ Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Prevents users from using My Computer to gain access to the content of selected drives. Prevents users from using My Computer to gain access to the content of selected drives.
- If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.
@ -4039,7 +4044,7 @@ The list of Common Shell Folders that may be specified:
Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches. Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches.
- If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. If you disable or do not configure this setting the default list of items will be displayed in the Places Bar.
> [!NOTE] > [!NOTE]
> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. > In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style.
@ -4101,7 +4106,7 @@ Prompts users for alternate logon credentials during network-based installations
This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection. This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection.
- If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media. If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media.
The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.

7
windows/client-management/mdm/policy-csp-admx-winlogon.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_WinLogon Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -45,6 +45,7 @@ ms.topic: reference
Specifies an alternate user interface. Specifies an alternate user interface.
The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface.
- If you enable this setting, the system starts the interface you specify instead of Explorer.exe. - If you enable this setting, the system starts the interface you specify instead of Explorer.exe.
To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.
@ -176,7 +177,7 @@ This policy controls whether the logged on user should be notified when his logo
- If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. - If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire.
> [!NOTE] > [!NOTE]
> If you configure this setting, you might want to examine and appropriately configure the "Set action to take when logon hours expire" setting. If "Set action to take when logon hours expire" is disabled or not configured, the "Remove logon hours expiration warnings" setting will have no effect, and users receive no warnings about logon hour expiration > If you configure this setting, you might want to examine and appropriately configure the "Set action to take when logon hours expire" setting. If "Set action to take when logon hours expire" is disabled or not configured, the "Remove logon hours expiration warnings" setting will have no effect, and users receive no warnings about logon hour expiration.
<!-- LogonHoursNotificationPolicyDescription-Description-End --> <!-- LogonHoursNotificationPolicyDescription-Description-End -->
<!-- LogonHoursNotificationPolicyDescription-Editable-Begin --> <!-- LogonHoursNotificationPolicyDescription-Editable-Begin -->
@ -243,7 +244,7 @@ If you choose to log off a user, the user cannot log on again except during perm
- If you disable or do not configure this setting, the system takes no action when the user's logon hours expire. The user can continue the existing session, but cannot log on to a new session. - If you disable or do not configure this setting, the system takes no action when the user's logon hours expire. The user can continue the existing session, but cannot log on to a new session.
> [!NOTE] > [!NOTE]
> If you configure this setting, you might want to examine and appropriately configure the "Remove logon hours expiration warnings" setting > If you configure this setting, you might want to examine and appropriately configure the "Remove logon hours expiration warnings" setting.
<!-- LogonHoursPolicyDescription-Description-End --> <!-- LogonHoursPolicyDescription-Description-End -->
<!-- LogonHoursPolicyDescription-Editable-Begin --> <!-- LogonHoursPolicyDescription-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -165,7 +165,7 @@ This policy setting specifies the Work Folders server for affected users, as wel
The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data.
The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables.
> [!NOTE] > [!NOTE]
> In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified. > In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified.

21
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -36,8 +36,19 @@ ms.topic: reference
<!-- DefaultAssociationsConfiguration-OmaUri-End --> <!-- DefaultAssociationsConfiguration-OmaUri-End -->
<!-- DefaultAssociationsConfiguration-Description-Begin --> <!-- DefaultAssociationsConfiguration-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool.
For example:
Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt
For more information, refer to the DISM documentation on TechNet.
If this group policy is enabled and the client machine is domain-joined, the file will be processed and default associations will be applied at logon time.
If the group policy is not configured, disabled, or the client machine is not domain-joined, no default associations will be applied at logon time.
If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations.
<!-- DefaultAssociationsConfiguration-Description-End --> <!-- DefaultAssociationsConfiguration-Description-End -->
<!-- DefaultAssociationsConfiguration-Editable-Begin --> <!-- DefaultAssociationsConfiguration-Editable-Begin -->
@ -60,7 +71,7 @@ This policy allows an administrator to set default file type and protocol associ
|:--|:--| |:--|:--|
| Name | DefaultAssociationsConfiguration | | Name | DefaultAssociationsConfiguration |
| Friendly Name | Set a default associations configuration file | | Friendly Name | Set a default associations configuration file |
| Element Name | Default Associations Configuration File | | Element Name | Default Associations Configuration File. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | WindowsComponents > File Explorer | | Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\System | | Registry Key Name | Software\Policies\Microsoft\Windows\System |
@ -147,7 +158,7 @@ Enabling this policy setting enables web-to-app linking so that apps can be laun
Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app. Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.
- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
<!-- EnableAppUriHandlers-Description-End --> <!-- EnableAppUriHandlers-Description-End -->
<!-- EnableAppUriHandlers-Editable-Begin --> <!-- EnableAppUriHandlers-Editable-Begin -->

9
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -309,8 +309,7 @@ Allows or denies development of Microsoft Store applications and installing them
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Windows Game Recording and Broadcasting. Windows Game Recording and Broadcasting.
This setting enables or disables the Windows Game Recording and Broadcasting features. This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed.
- If you disable this setting, Windows Game Recording will not be allowed.
If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed. If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed.
<!-- AllowGameDVR-Description-End --> <!-- AllowGameDVR-Description-End -->
@ -446,7 +445,7 @@ Manages a Windows app's ability to share data between users who have installed t
<!-- AllowStore-Description-Begin --> <!-- AllowStore-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy is deprecated This policy is deprecated.
<!-- AllowStore-Description-End --> <!-- AllowStore-Description-End -->
<!-- AllowStore-Editable-Begin --> <!-- AllowStore-Editable-Begin -->
@ -498,7 +497,7 @@ This policy is deprecated
<!-- ApplicationRestrictions-Description-Begin --> <!-- ApplicationRestrictions-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy is deprecated This policy is deprecated.
<!-- ApplicationRestrictions-Description-End --> <!-- ApplicationRestrictions-Description-End -->
<!-- ApplicationRestrictions-Editable-Begin --> <!-- ApplicationRestrictions-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -4,7 +4,7 @@ description: Learn more about the AppVirtualization Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -1526,7 +1526,7 @@ Specifies that streamed package contents will be not be saved to the local hard
<!-- StreamingSupportBranchCache-Description-Begin --> <!-- StreamingSupportBranchCache-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache.
<!-- StreamingSupportBranchCache-Description-End --> <!-- StreamingSupportBranchCache-Description-End -->
<!-- StreamingSupportBranchCache-Editable-Begin --> <!-- StreamingSupportBranchCache-Editable-Begin -->

119
windows/client-management/mdm/policy-csp-audit.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 02/10/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -98,7 +98,8 @@ Volume: High on domain controllers.
<!-- AccountLogon_AuditKerberosAuthenticationService-Description-Begin --> <!-- AccountLogon_AuditKerberosAuthenticationService-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
- If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests.
- If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request.
<!-- AccountLogon_AuditKerberosAuthenticationService-Description-End --> <!-- AccountLogon_AuditKerberosAuthenticationService-Description-End -->
@ -160,7 +161,8 @@ Volume: High on Kerberos Key Distribution Center servers.
<!-- AccountLogon_AuditKerberosServiceTicketOperations-Description-Begin --> <!-- AccountLogon_AuditKerberosServiceTicketOperations-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.
- If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests.
- If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account.
<!-- AccountLogon_AuditKerberosServiceTicketOperations-Description-End --> <!-- AccountLogon_AuditKerberosServiceTicketOperations-Description-End -->
@ -404,7 +406,8 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser
<!-- AccountLogonLogoff_AuditIPsecExtendedMode-Description-Begin --> <!-- AccountLogonLogoff_AuditIPsecExtendedMode-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
- If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation.
<!-- AccountLogonLogoff_AuditIPsecExtendedMode-Description-End --> <!-- AccountLogonLogoff_AuditIPsecExtendedMode-Description-End -->
@ -466,7 +469,8 @@ Volume: High.
<!-- AccountLogonLogoff_AuditIPsecMainMode-Description-Begin --> <!-- AccountLogonLogoff_AuditIPsecMainMode-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
- If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation.
<!-- AccountLogonLogoff_AuditIPsecMainMode-Description-End --> <!-- AccountLogonLogoff_AuditIPsecMainMode-Description-End -->
@ -528,7 +532,8 @@ Volume: High.
<!-- AccountLogonLogoff_AuditIPsecQuickMode-Description-Begin --> <!-- AccountLogonLogoff_AuditIPsecQuickMode-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
- If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation.
<!-- AccountLogonLogoff_AuditIPsecQuickMode-Description-End --> <!-- AccountLogonLogoff_AuditIPsecQuickMode-Description-End -->
@ -590,7 +595,8 @@ Volume: High.
<!-- AccountLogonLogoff_AuditLogoff-Description-Begin --> <!-- AccountLogonLogoff_AuditLogoff-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
- If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions.
- If you do not configure this policy setting, no audit event is generated when a logon session is closed. - If you do not configure this policy setting, no audit event is generated when a logon session is closed.
<!-- AccountLogonLogoff_AuditLogoff-Description-End --> <!-- AccountLogonLogoff_AuditLogoff-Description-End -->
@ -713,7 +719,8 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser
<!-- AccountLogonLogoff_AuditNetworkPolicyServer-Description-Begin --> <!-- AccountLogonLogoff_AuditNetworkPolicyServer-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
- If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts.
- If you do not configure this policy settings, IAS and NAP user access requests are not audited. - If you do not configure this policy settings, IAS and NAP user access requests are not audited.
<!-- AccountLogonLogoff_AuditNetworkPolicyServer-Description-End --> <!-- AccountLogonLogoff_AuditNetworkPolicyServer-Description-End -->
@ -836,7 +843,7 @@ Volume: Low.
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-Begin --> <!-- AccountLogonLogoff_AuditSpecialLogon-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](<https://go.microsoft.com/fwlink/?LinkId=121697>). This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121697).
<!-- AccountLogonLogoff_AuditSpecialLogon-Description-End --> <!-- AccountLogonLogoff_AuditSpecialLogon-Description-End -->
<!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin --> <!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->
@ -958,7 +965,8 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser
<!-- AccountManagement_AuditApplicationGroupManagement-Description-Begin --> <!-- AccountManagement_AuditApplicationGroupManagement-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group.
- If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an application group changes. - If you do not configure this policy setting, no audit event is generated when an application group changes.
<!-- AccountManagement_AuditApplicationGroupManagement-Description-End --> <!-- AccountManagement_AuditApplicationGroupManagement-Description-End -->
@ -1020,7 +1028,8 @@ Volume: Low.
<!-- AccountManagement_AuditComputerAccountManagement-Description-Begin --> <!-- AccountManagement_AuditComputerAccountManagement-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
- If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a computer account changes. - If you do not configure this policy setting, no audit event is generated when a computer account changes.
<!-- AccountManagement_AuditComputerAccountManagement-Description-End --> <!-- AccountManagement_AuditComputerAccountManagement-Description-End -->
@ -1082,7 +1091,8 @@ Volume: Low.
<!-- AccountManagement_AuditDistributionGroupManagement-Description-Begin --> <!-- AccountManagement_AuditDistributionGroupManagement-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes to distribution groups such as the following: Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed.
- If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a distribution group changes. - If you do not configure this policy setting, no audit event is generated when a distribution group changes.
> [!NOTE] > [!NOTE]
@ -1147,7 +1157,7 @@ Volume: Low.
<!-- AccountManagement_AuditOtherAccountManagementEvents-Description-Begin --> <!-- AccountManagement_AuditOtherAccountManagementEvents-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. Changes to the Default Domain Group Policy under the following Group Policy paths: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. Changes to the Default Domain Group Policy under the following Group Policy paths: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
<!-- AccountManagement_AuditOtherAccountManagementEvents-Description-End --> <!-- AccountManagement_AuditOtherAccountManagementEvents-Description-End -->
<!-- AccountManagement_AuditOtherAccountManagementEvents-Editable-Begin --> <!-- AccountManagement_AuditOtherAccountManagementEvents-Editable-Begin -->
@ -1208,7 +1218,8 @@ Volume: Low.
<!-- AccountManagement_AuditSecurityGroupManagement-Description-Begin --> <!-- AccountManagement_AuditSecurityGroupManagement-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed.
- If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a security group changes. - If you do not configure this policy setting, no audit event is generated when a security group changes.
<!-- AccountManagement_AuditSecurityGroupManagement-Description-End --> <!-- AccountManagement_AuditSecurityGroupManagement-Description-End -->
@ -1270,7 +1281,8 @@ Volume: Low.
<!-- AccountManagement_AuditUserAccountManagement-Description-Begin --> <!-- AccountManagement_AuditUserAccountManagement-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account's password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored. If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account's password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored.
- If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a user account changes. - If you do not configure this policy setting, no audit event is generated when a user account changes.
<!-- AccountManagement_AuditUserAccountManagement-Description-End --> <!-- AccountManagement_AuditUserAccountManagement-Description-End -->
@ -1332,7 +1344,8 @@ Volume: Low.
<!-- DetailedTracking_AuditDPAPIActivity-Description-Begin --> <!-- DetailedTracking_AuditDPAPIActivity-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection).
- If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests.
- If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI.
<!-- DetailedTracking_AuditDPAPIActivity-Description-End --> <!-- DetailedTracking_AuditDPAPIActivity-Description-End -->
@ -1394,7 +1407,8 @@ Volume: Low.
<!-- DetailedTracking_AuditPNPActivity-Description-Begin --> <!-- DetailedTracking_AuditPNPActivity-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. This policy setting allows you to audit when plug and play detects an external device.
- If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category.
- If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
<!-- DetailedTracking_AuditPNPActivity-Description-End --> <!-- DetailedTracking_AuditPNPActivity-Description-End -->
@ -1456,7 +1470,8 @@ Volume: Low.
<!-- DetailedTracking_AuditProcessCreation-Description-Begin --> <!-- DetailedTracking_AuditProcessCreation-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.
- If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a process is created. - If you do not configure this policy setting, no audit event is generated when a process is created.
<!-- DetailedTracking_AuditProcessCreation-Description-End --> <!-- DetailedTracking_AuditProcessCreation-Description-End -->
@ -1518,7 +1533,8 @@ Volume: Depends on how the computer is used.
<!-- DetailedTracking_AuditProcessTermination-Description-Begin --> <!-- DetailedTracking_AuditProcessTermination-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated when a process ends.
- If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a process ends. - If you do not configure this policy setting, no audit event is generated when a process ends.
<!-- DetailedTracking_AuditProcessTermination-Description-End --> <!-- DetailedTracking_AuditProcessTermination-Description-End -->
@ -1580,7 +1596,8 @@ Volume: Depends on how the computer is used.
<!-- DetailedTracking_AuditRPCEvents-Description-Begin --> <!-- DetailedTracking_AuditRPCEvents-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit inbound remote procedure call (RPC) connections.
- If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted.
<!-- DetailedTracking_AuditRPCEvents-Description-End --> <!-- DetailedTracking_AuditRPCEvents-Description-End -->
@ -1828,7 +1845,8 @@ Volume: High on domain controllers. None on client computers.
This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged.
> [!NOTE] > [!NOTE]
> Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. > Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
- If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded.
- If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made.
<!-- DSAccess_AuditDirectoryServiceChanges-Description-End --> <!-- DSAccess_AuditDirectoryServiceChanges-Description-End -->
@ -1890,7 +1908,8 @@ Volume: High on domain controllers only.
<!-- DSAccess_AuditDirectoryServiceReplication-Description-Begin --> <!-- DSAccess_AuditDirectoryServiceReplication-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers.
- If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication.
- If you do not configure this policy setting, no audit event is generated during AD DS replication. - If you do not configure this policy setting, no audit event is generated during AD DS replication.
<!-- DSAccess_AuditDirectoryServiceReplication-Description-End --> <!-- DSAccess_AuditDirectoryServiceReplication-Description-End -->
@ -2135,10 +2154,12 @@ Volume: Medium or Low on computers running Active Directory Certificate Services
<!-- ObjectAccess_AuditDetailedFileShare-Description-Begin --> <!-- ObjectAccess_AuditDetailedFileShare-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
- If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures.
> [!NOTE] > [!NOTE]
> There are no system access control lists (SACLs) for shared folders. > There are no system access control lists (SACLs) for shared folders.
- If this policy setting is enabled, access to all shared files and folders on the system is audited. - If this policy setting is enabled, access to all shared files and folders on the system is audited.
<!-- ObjectAccess_AuditDetailedFileShare-Description-End --> <!-- ObjectAccess_AuditDetailedFileShare-Description-End -->
@ -2200,11 +2221,13 @@ Volume: High on a file server or domain controller because of SYSVOL network acc
<!-- ObjectAccess_AuditFileShare-Description-Begin --> <!-- ObjectAccess_AuditFileShare-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. This policy setting allows you to audit attempts to access a shared folder.
- If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder.
- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures.
> [!NOTE] > [!NOTE]
> There are no system access control lists (SACLs) for shared folders. > There are no system access control lists (SACLs) for shared folders.
- If this policy setting is enabled, access to all shared folders on the system is audited. - If this policy setting is enabled, access to all shared folders on the system is audited.
<!-- ObjectAccess_AuditFileShare-Description-End --> <!-- ObjectAccess_AuditFileShare-Description-End -->
@ -2266,7 +2289,8 @@ Volume: High on a file server or domain controller because of SYSVOL network acc
<!-- ObjectAccess_AuditFileSystem-Description-Begin --> <!-- ObjectAccess_AuditFileSystem-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see <https//go.microsoft.com/fwlink/?LinkId=122083>. If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see< https://go.microsoft.com/fwlink/?LinkId=122083>.
- If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL.
> [!NOTE] > [!NOTE]
@ -2331,7 +2355,8 @@ Volume: Depends on how the file system SACLs are configured.
<!-- ObjectAccess_AuditFilteringPlatformConnection-Description-Begin --> <!-- ObjectAccess_AuditFilteringPlatformConnection-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections. If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections.
- If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked.
- If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP.
<!-- ObjectAccess_AuditFilteringPlatformConnection-Description-End --> <!-- ObjectAccess_AuditFilteringPlatformConnection-Description-End -->
@ -2454,7 +2479,8 @@ Volume: High.
<!-- ObjectAccess_AuditHandleManipulation-Description-Begin --> <!-- ObjectAccess_AuditHandleManipulation-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events.
- If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a handle is manipulated. - If you do not configure this policy setting, no audit event is generated when a handle is manipulated.
> [!NOTE] > [!NOTE]
@ -2522,7 +2548,7 @@ Volume: Depends on how SACLs are configured.
This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events.
> [!NOTE] > [!NOTE]
> The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects. > The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.
<!-- ObjectAccess_AuditKernelObject-Description-End --> <!-- ObjectAccess_AuditKernelObject-Description-End -->
<!-- ObjectAccess_AuditKernelObject-Editable-Begin --> <!-- ObjectAccess_AuditKernelObject-Editable-Begin -->
@ -2644,7 +2670,8 @@ Volume: Low.
<!-- ObjectAccess_AuditRegistry-Description-Begin --> <!-- ObjectAccess_AuditRegistry-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
- If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL.
> [!NOTE] > [!NOTE]
@ -2709,7 +2736,8 @@ Volume: Depends on how registry SACLs are configured.
<!-- ObjectAccess_AuditRemovableStorage-Description-Begin --> <!-- ObjectAccess_AuditRemovableStorage-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.
- If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage.
<!-- ObjectAccess_AuditRemovableStorage-Description-End --> <!-- ObjectAccess_AuditRemovableStorage-Description-End -->
@ -2770,11 +2798,12 @@ This policy setting allows you to audit user attempts to access file system obje
<!-- ObjectAccess_AuditSAM-Description-Begin --> <!-- ObjectAccess_AuditSAM-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following: SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account.
- If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. - If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made.
> [!NOTE] > [!NOTE]
> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about SACL, see [Access control lists](/windows/win32/secauthz/access-control-lists). > Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698).
<!-- ObjectAccess_AuditSAM-Description-End --> <!-- ObjectAccess_AuditSAM-Description-End -->
<!-- ObjectAccess_AuditSAM-Editable-Begin --> <!-- ObjectAccess_AuditSAM-Editable-Begin -->
@ -2835,7 +2864,8 @@ Volume: High on domain controllers. For more information about reducing the numb
<!-- PolicyChange_AuditAuthenticationPolicyChange-Description-Begin --> <!-- PolicyChange_AuditAuthenticationPolicyChange-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes to the authentication policy such as the following: Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group: Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name.
- If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. - If you do not configure this policy setting, no audit event is generated when the authentication policy is changed.
> [!NOTE] > [!NOTE]
@ -2900,7 +2930,8 @@ Volume: Low.
<!-- PolicyChange_AuditAuthorizationPolicyChange-Description-Begin --> <!-- PolicyChange_AuditAuthorizationPolicyChange-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object. If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object.
- If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when the authorization policy changes. - If you do not configure this policy setting, no audit event is generated when the authorization policy changes.
<!-- PolicyChange_AuditAuthorizationPolicyChange-Description-End --> <!-- PolicyChange_AuditAuthorizationPolicyChange-Description-End -->
@ -2962,7 +2993,8 @@ Volume: Low.
<!-- PolicyChange_AuditFilteringPlatformPolicyChange-Description-Begin --> <!-- PolicyChange_AuditFilteringPlatformPolicyChange-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine. If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine.
- If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. - If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP.
<!-- PolicyChange_AuditFilteringPlatformPolicyChange-Description-End --> <!-- PolicyChange_AuditFilteringPlatformPolicyChange-Description-End -->
@ -3024,7 +3056,8 @@ Volume: Low.
<!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Description-Begin --> <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings. If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings.
- If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC.
<!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Description-End --> <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Description-End -->
@ -3147,7 +3180,7 @@ Volume: Low.
<!-- PolicyChange_AuditPolicyChange-Description-Begin --> <!-- PolicyChange_AuditPolicyChange-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. This policy setting allows you to audit changes in the security audit policy settings such as the following: Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list.
> [!NOTE] > [!NOTE]
> System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. > System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change.
@ -3212,7 +3245,8 @@ Volume: Low.
<!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Description-Begin --> <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects. This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects.
Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data. If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data.
- If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls.
- If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called.
<!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Description-End --> <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Description-End -->
@ -3334,7 +3368,8 @@ Not used.
<!-- PrivilegeUse_AuditSensitivePrivilegeUse-Description-Begin --> <!-- PrivilegeUse_AuditSensitivePrivilegeUse-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects. If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects.
- If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests.
- If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. - If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made.
<!-- PrivilegeUse_AuditSensitivePrivilegeUse-Description-End --> <!-- PrivilegeUse_AuditSensitivePrivilegeUse-Description-End -->
@ -3396,7 +3431,8 @@ Volume: High.
<!-- System_AuditIPsecDriver-Description-Begin --> <!-- System_AuditIPsecDriver-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters. If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters.
- If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. - If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation.
<!-- System_AuditIPsecDriver-Description-End --> <!-- System_AuditIPsecDriver-Description-End -->
@ -3580,7 +3616,8 @@ Volume: Low.
<!-- System_AuditSecuritySystemExtension-Description-Begin --> <!-- System_AuditSecuritySystemExtension-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
- If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts.
- If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension.
<!-- System_AuditSecuritySystemExtension-Description-End --> <!-- System_AuditSecuritySystemExtension-Description-End -->

59
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Authentication Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- Authentication-Begin --> <!-- Authentication-Begin -->
# Policy CSP - Authentication # Policy CSP - Authentication
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- Authentication-Editable-Begin --> <!-- Authentication-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Authentication-Editable-End --> <!-- Authentication-Editable-End -->
@ -356,7 +359,7 @@ Your organization's PIN reset or web sign-in authentication flow is expected to
<!-- EnableFastFirstSignIn-Description-Begin --> <!-- EnableFastFirstSignIn-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts.
<!-- EnableFastFirstSignIn-Description-End --> <!-- EnableFastFirstSignIn-Description-End -->
<!-- EnableFastFirstSignIn-Editable-Begin --> <!-- EnableFastFirstSignIn-Editable-Begin -->
@ -394,6 +397,56 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
<!-- EnableFastFirstSignIn-End --> <!-- EnableFastFirstSignIn-End -->
<!-- EnablePasswordlessExperience-Begin -->
## EnablePasswordlessExperience
<!-- EnablePasswordlessExperience-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- EnablePasswordlessExperience-Applicability-End -->
<!-- EnablePasswordlessExperience-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Authentication/EnablePasswordlessExperience
```
<!-- EnablePasswordlessExperience-OmaUri-End -->
<!-- EnablePasswordlessExperience-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether connected users on AADJ devices receive a Passwordless experience on Windows.
<!-- EnablePasswordlessExperience-Description-End -->
<!-- EnablePasswordlessExperience-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnablePasswordlessExperience-Editable-End -->
<!-- EnablePasswordlessExperience-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnablePasswordlessExperience-DFProperties-End -->
<!-- EnablePasswordlessExperience-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | The feature defaults to the existing edition and device capabilities. |
| 1 | Enabled. The Passwordless experience will be enabled on Windows. |
| 2 | Disabled. The Passwordless experience will not be enabled on Windows. |
<!-- EnablePasswordlessExperience-AllowedValues-End -->
<!-- EnablePasswordlessExperience-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnablePasswordlessExperience-Examples-End -->
<!-- EnablePasswordlessExperience-End -->
<!-- EnableWebSignIn-Begin --> <!-- EnableWebSignIn-Begin -->
## EnableWebSignIn ## EnableWebSignIn
@ -411,7 +464,7 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
<!-- EnableWebSignIn-Description-Begin --> <!-- EnableWebSignIn-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Specifies whether web-based sign-in is allowed for signing in to Windows Specifies whether web-based sign-in is allowed for signing in to Windows.
<!-- EnableWebSignIn-Description-End --> <!-- EnableWebSignIn-Description-End -->
<!-- EnableWebSignIn-Editable-Begin --> <!-- EnableWebSignIn-Editable-Begin -->

119
windows/client-management/mdm/policy-csp-bits.md
View File

@ -4,7 +4,7 @@ description: Learn more about the BITS Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -36,12 +36,19 @@ ms.topic: reference
<!-- BandwidthThrottlingEndTime-OmaUri-End --> <!-- BandwidthThrottlingEndTime-OmaUri-End -->
<!-- BandwidthThrottlingEndTime-Description-Begin --> <!-- BandwidthThrottlingEndTime-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting does not affect foreground transfers.)
- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
> [!NOTE] > [!NOTE]
> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). > You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
<!-- BandwidthThrottlingEndTime-Description-End --> <!-- BandwidthThrottlingEndTime-Description-End -->
<!-- BandwidthThrottlingEndTime-Editable-Begin --> <!-- BandwidthThrottlingEndTime-Editable-Begin -->
@ -66,7 +73,7 @@ This policy specifies the bandwidth throttling end time that Background Intellig
|:--|:--| |:--|:--|
| Name | BITS_MaxBandwidth | | Name | BITS_MaxBandwidth |
| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | | Friendly Name | Limit the maximum network bandwidth for BITS background transfers |
| Element Name | to | | Element Name | to. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Network > Background Intelligent Transfer Service (BITS) | | Path | Network > Background Intelligent Transfer Service (BITS) |
| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | | Registry Key Name | Software\Policies\Microsoft\Windows\BITS |
@ -95,12 +102,19 @@ This policy specifies the bandwidth throttling end time that Background Intellig
<!-- BandwidthThrottlingStartTime-OmaUri-End --> <!-- BandwidthThrottlingStartTime-OmaUri-End -->
<!-- BandwidthThrottlingStartTime-Description-Begin --> <!-- BandwidthThrottlingStartTime-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting does not affect foreground transfers.)
- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
> [!NOTE] > [!NOTE]
> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). > You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
<!-- BandwidthThrottlingStartTime-Description-End --> <!-- BandwidthThrottlingStartTime-Description-End -->
<!-- BandwidthThrottlingStartTime-Editable-Begin --> <!-- BandwidthThrottlingStartTime-Editable-Begin -->
@ -125,7 +139,7 @@ This policy specifies the bandwidth throttling start time that Background Intell
|:--|:--| |:--|:--|
| Name | BITS_MaxBandwidth | | Name | BITS_MaxBandwidth |
| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | | Friendly Name | Limit the maximum network bandwidth for BITS background transfers |
| Element Name | From | | Element Name | From. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Network > Background Intelligent Transfer Service (BITS) | | Path | Network > Background Intelligent Transfer Service (BITS) |
| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | | Registry Key Name | Software\Policies\Microsoft\Windows\BITS |
@ -154,12 +168,19 @@ This policy specifies the bandwidth throttling start time that Background Intell
<!-- BandwidthThrottlingTransferRate-OmaUri-End --> <!-- BandwidthThrottlingTransferRate-OmaUri-End -->
<!-- BandwidthThrottlingTransferRate-Description-Begin --> <!-- BandwidthThrottlingTransferRate-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy specifies the bandwidth throttling transfer rate in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. Value type is integer. Default value is 1000. Supported value range 0 - 4294967200. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting does not affect foreground transfers.)
- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
- If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
> [!NOTE] > [!NOTE]
> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). > You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
<!-- BandwidthThrottlingTransferRate-Description-End --> <!-- BandwidthThrottlingTransferRate-Description-End -->
<!-- BandwidthThrottlingTransferRate-Editable-Begin --> <!-- BandwidthThrottlingTransferRate-Editable-Begin -->
@ -184,7 +205,7 @@ This policy specifies the bandwidth throttling transfer rate in kilobits per sec
|:--|:--| |:--|:--|
| Name | BITS_MaxBandwidth | | Name | BITS_MaxBandwidth |
| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | | Friendly Name | Limit the maximum network bandwidth for BITS background transfers |
| Element Name | Limit background transfer rate (Kbps) to | | Element Name | Limit background transfer rate (Kbps) to. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Network > Background Intelligent Transfer Service (BITS) | | Path | Network > Background Intelligent Transfer Service (BITS) |
| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | | Registry Key Name | Software\Policies\Microsoft\Windows\BITS |
@ -213,9 +234,27 @@ This policy specifies the bandwidth throttling transfer rate in kilobits per sec
<!-- CostedNetworkBehaviorBackgroundPriority-OmaUri-End --> <!-- CostedNetworkBehaviorBackgroundPriority-OmaUri-End -->
<!-- CostedNetworkBehaviorBackgroundPriority-Description-Begin --> <!-- CostedNetworkBehaviorBackgroundPriority-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of background transfers. This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers.
- If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained
If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
- Always transfer
- Transfer unless roaming
- Transfer unless surcharge applies (when not roaming or overcap)
- Transfer unless nearing limit (when not roaming or nearing cap)
- Transfer only if unconstrained
- Custom--allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here)
0x1 - The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints.
0x2 - The usage of this connection is unrestricted up to a certain data limit
0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 percent of the limit.
0x8 - Usage of this connection is unrestricted up to a certain data limit and plan usage is between 80 percent and 100 percent of the limit.
0x10 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. Surcharge applied or unknown.
0x20 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. No surcharge applies, but speeds are likely reduced.
0x40 - The connection is costed on a per-byte basis.
0x80 - The connection is roaming.
0x80000000 - Ignore congestion.
<!-- CostedNetworkBehaviorBackgroundPriority-Description-End --> <!-- CostedNetworkBehaviorBackgroundPriority-Description-End -->
<!-- CostedNetworkBehaviorBackgroundPriority-Editable-Begin --> <!-- CostedNetworkBehaviorBackgroundPriority-Editable-Begin -->
@ -251,7 +290,7 @@ This policy setting defines the default behavior that the Background Intelligent
|:--|:--| |:--|:--|
| Name | BITS_SetTransferPolicyOnCostedNetwork | | Name | BITS_SetTransferPolicyOnCostedNetwork |
| Friendly Name | Set default download behavior for BITS jobs on costed networks | | Friendly Name | Set default download behavior for BITS jobs on costed networks |
| Element Name | Normal | | Element Name | Normal. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Network > Background Intelligent Transfer Service (BITS) | | Path | Network > Background Intelligent Transfer Service (BITS) |
| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy | | Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy |
@ -280,9 +319,27 @@ This policy setting defines the default behavior that the Background Intelligent
<!-- CostedNetworkBehaviorForegroundPriority-OmaUri-End --> <!-- CostedNetworkBehaviorForegroundPriority-OmaUri-End -->
<!-- CostedNetworkBehaviorForegroundPriority-Description-Begin --> <!-- CostedNetworkBehaviorForegroundPriority-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of foreground transfers. This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers.
- If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained
If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
- Always transfer
- Transfer unless roaming
- Transfer unless surcharge applies (when not roaming or overcap)
- Transfer unless nearing limit (when not roaming or nearing cap)
- Transfer only if unconstrained
- Custom--allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here)
0x1 - The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints.
0x2 - The usage of this connection is unrestricted up to a certain data limit
0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 percent of the limit.
0x8 - Usage of this connection is unrestricted up to a certain data limit and plan usage is between 80 percent and 100 percent of the limit.
0x10 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. Surcharge applied or unknown.
0x20 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. No surcharge applies, but speeds are likely reduced.
0x40 - The connection is costed on a per-byte basis.
0x80 - The connection is roaming.
0x80000000 - Ignore congestion.
<!-- CostedNetworkBehaviorForegroundPriority-Description-End --> <!-- CostedNetworkBehaviorForegroundPriority-Description-End -->
<!-- CostedNetworkBehaviorForegroundPriority-Editable-Begin --> <!-- CostedNetworkBehaviorForegroundPriority-Editable-Begin -->
@ -318,7 +375,7 @@ This policy setting defines the default behavior that the foreground Intelligent
|:--|:--| |:--|:--|
| Name | BITS_SetTransferPolicyOnCostedNetwork | | Name | BITS_SetTransferPolicyOnCostedNetwork |
| Friendly Name | Set default download behavior for BITS jobs on costed networks | | Friendly Name | Set default download behavior for BITS jobs on costed networks |
| Element Name | Foreground | | Element Name | Foreground. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Network > Background Intelligent Transfer Service (BITS) | | Path | Network > Background Intelligent Transfer Service (BITS) |
| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy | | Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy |
@ -347,11 +404,17 @@ This policy setting defines the default behavior that the foreground Intelligent
<!-- JobInactivityTimeout-OmaUri-End --> <!-- JobInactivityTimeout-OmaUri-End -->
<!-- JobInactivityTimeout-Description-Begin --> <!-- JobInactivityTimeout-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
> [!NOTE] > [!NOTE]
> Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range 0 - 999. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. > Any property changes to the job or any successful download action will reset this timeout.
Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs.
Consider decreasing this value if you are concerned about orphaned jobs occupying disk space.
- If you enable this policy setting, you can configure the inactive job timeout to specified number of days.
- If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. - If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
<!-- JobInactivityTimeout-Description-End --> <!-- JobInactivityTimeout-Description-End -->
@ -377,7 +440,7 @@ This policy setting specifies the number of days a pending BITS job can remain i
|:--|:--| |:--|:--|
| Name | BITS_Job_Timeout | | Name | BITS_Job_Timeout |
| Friendly Name | Timeout for inactive BITS jobs | | Friendly Name | Timeout for inactive BITS jobs |
| Element Name | Inactive Job Timeout in Days | | Element Name | Inactive Job Timeout in Days. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Network > Background Intelligent Transfer Service (BITS) | | Path | Network > Background Intelligent Transfer Service (BITS) |
| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | | Registry Key Name | Software\Policies\Microsoft\Windows\BITS |

4
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Bluetooth Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -272,7 +272,7 @@ Sets the local Bluetooth device name. If this is set, the value that it is set t
<!-- ServicesAllowedList-Description-Begin --> <!-- ServicesAllowedList-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7. CAA-436. C-8. BF0-78. CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7. CAA-436. C-8. BF0-78. CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide.
<!-- ServicesAllowedList-Description-End --> <!-- ServicesAllowedList-Description-End -->
<!-- ServicesAllowedList-Editable-Begin --> <!-- ServicesAllowedList-Editable-Begin -->

218
windows/client-management/mdm/policy-csp-browser.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/27/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -200,7 +200,7 @@ To verify AllowAutofill is set to 0 (not allowed):
<!-- AllowBrowser-Description-Begin --> <!-- AllowBrowser-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy is deprecated This policy is deprecated.
<!-- AllowBrowser-Description-End --> <!-- AllowBrowser-Description-End -->
<!-- AllowBrowser-Editable-Begin --> <!-- AllowBrowser-Editable-Begin -->
@ -305,8 +305,15 @@ This policy setting lets you decide whether Microsoft Edge can automatically upd
<!-- AllowCookies-OmaUri-End --> <!-- AllowCookies-OmaUri-End -->
<!-- AllowCookies-Description-Begin --> <!-- AllowCookies-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This setting lets you configure how your company deals with cookies. This setting lets you configure how to work with cookies.
- If you enable this setting, you must also decide whether to:
Allow all cookies (default): Allows all cookies from all websites.
Block all cookies: Blocks all cookies from all websites.
Block only 3rd-party cookies: Blocks only cookies from 3rd-party websites.
- If you disable or don't configure this setting, all cookies are allowed from all sites.
<!-- AllowCookies-Description-End --> <!-- AllowCookies-Description-End -->
<!-- AllowCookies-Editable-Begin --> <!-- AllowCookies-Editable-Begin -->
@ -340,7 +347,7 @@ This setting lets you configure how your company deals with cookies.
|:--|:--| |:--|:--|
| Name | Cookies | | Name | Cookies |
| Friendly Name | Configure cookies | | Friendly Name | Configure cookies |
| Element Name | Configure Cookies | | Element Name | Configure Cookies. |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main |
@ -1483,8 +1490,8 @@ Computer Configuration > Administrative Templates > Windows Components > App Pac
Supported versions: Microsoft Edge on Windows 10, version 1809 Supported versions: Microsoft Edge on Windows 10, version 1809
Default setting: Disabled or not configured Default setting: Disabled or not configured
Related policies: Related policies:
- Allows development of Windows Store apps and installing them from an integrated development environment (IDE) - Allows development of Windows Store apps and installing them from an integrated development environment (IDE)
- Allow all trusted apps to install - Allow all trusted apps to install
<!-- AllowSideloadingOfExtensions-Description-End --> <!-- AllowSideloadingOfExtensions-Description-End -->
<!-- AllowSideloadingOfExtensions-Editable-Begin --> <!-- AllowSideloadingOfExtensions-Editable-Begin -->
@ -1920,9 +1927,17 @@ To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is s
<!-- ConfigureAdditionalSearchEngines-OmaUri-End --> <!-- ConfigureAdditionalSearchEngines-OmaUri-End -->
<!-- ConfigureAdditionalSearchEngines-Description-Begin --> <!-- ConfigureAdditionalSearchEngines-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting.
- If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the Understanding OpenSearch Standards (https://msdn.microsoft.com/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add: `<https://fabrikam.com/opensearch.xml>` `<https://www.contoso.com/opensearch.xml>`
- If you disable this setting, any added search engines are removed from your employee's devices.
- If you don't configure this setting, the search engine list is set to what is specified in App settings.
<!-- ConfigureAdditionalSearchEngines-Description-End --> <!-- ConfigureAdditionalSearchEngines-Description-End -->
<!-- ConfigureAdditionalSearchEngines-Editable-Begin --> <!-- ConfigureAdditionalSearchEngines-Editable-Begin -->
@ -1945,7 +1960,7 @@ Allows you to add up to 5 additional search engines for MDM-enrolled devices. If
|:--|:--| |:--|:--|
| Name | ConfigureAdditionalSearchEngines | | Name | ConfigureAdditionalSearchEngines |
| Friendly Name | Configure additional search engines | | Friendly Name | Configure additional search engines |
| Element Name | Use this format to specify the link(s) you wish to add: `<<https://fabrikam.com/opensearch.xml>>` `<<https://www.contoso.com/opensearch.xml>>` | | Element Name | Use this format to specify the link(s) you wish to add: `<https://fabrikam.com/opensearch.xml>` `<https://www.contoso.com/opensearch.xml>` |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch |
@ -2051,8 +2066,23 @@ If not configured, the favorites bar is hidden but is visible on the Start and N
<!-- ConfigureHomeButton-OmaUri-End --> <!-- ConfigureHomeButton-OmaUri-End -->
<!-- ConfigureHomeButton-Description-Begin --> <!-- ConfigureHomeButton-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. By default, this policy is disabled or not configured and clicking the home button loads the default Start page. When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. If Enabled AND: - Show home button & set to Start page is selected, clicking the home button loads the Start page. - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - Hide home button is selected, the home button is hidden in Microsoft Edge. Default setting: Disabled or not configured Related policies: - Set Home Button URL - Unlock Home Button The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy.
By default, this policy is disabled or not configured and clicking the home button loads the default Start page.
When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy.
If Enabled AND:
- Show home button & set to Start page is selected, clicking the home button loads the Start page.
- Show home button & set to New tab page is selected, clicking the home button loads a New tab page.
- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy.
- Hide home button is selected, the home button is hidden in Microsoft Edge.
Default setting: Disabled or not configured
Related policies:
- Set Home Button URL
- Unlock Home Button.
<!-- ConfigureHomeButton-Description-End --> <!-- ConfigureHomeButton-Description-End -->
<!-- ConfigureHomeButton-Editable-Begin --> <!-- ConfigureHomeButton-Editable-Begin -->
@ -2087,7 +2117,7 @@ The Home button loads either the default Start page, the New tab page, or a URL
|:--|:--| |:--|:--|
| Name | ConfigureHomeButton | | Name | ConfigureHomeButton |
| Friendly Name | Configure Home Button | | Friendly Name | Configure Home Button |
| Element Name | Configure the Home Button | | Element Name | Configure the Home Button. |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings |
@ -2122,8 +2152,17 @@ The Home button loads either the default Start page, the New tab page, or a URL
<!-- ConfigureKioskMode-OmaUri-End --> <!-- ConfigureKioskMode-OmaUri-End -->
<!-- ConfigureKioskMode-Description-Begin --> <!-- ConfigureKioskMode-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Configure how Microsoft Edge behaves when it's running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see "Configure kiosk and shared devices running Windows desktop editions" (<https://aka.ms/E489vw)>. If enabled and set to 0 (Default or not configured): - If it's a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it's one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it's a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can't minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking "End session." You can configure Microsoft Edge to restart after a period of inactivity by using the "Configure kiosk reset after idle timeout" policy. - If it's one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can't customize Microsoft Edge. Configure how Microsoft Edge behaves when it's running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge.
You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see "Configure kiosk and shared devices running Windows desktop editions" (https://aka.ms/E489vw).
If enabled and set to 0 (Default or not configured):
- If it's a single app, it runs InPrivate full screen for digital signage or interactive displays.
- If it's one of many apps, Microsoft Edge runs as normal.
If enabled and set to 1:
- If it's a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can't minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking "End session." You can configure Microsoft Edge to restart after a period of inactivity by using the "Configure kiosk reset after idle timeout" policy.
- If it's one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can't customize Microsoft Edge.
<!-- ConfigureKioskMode-Description-End --> <!-- ConfigureKioskMode-Description-End -->
<!-- ConfigureKioskMode-Editable-Begin --> <!-- ConfigureKioskMode-Editable-Begin -->
@ -2188,8 +2227,16 @@ Configure how Microsoft Edge behaves when it's running in kiosk mode with assign
<!-- ConfigureKioskResetAfterIdleTimeout-OmaUri-End --> <!-- ConfigureKioskResetAfterIdleTimeout-OmaUri-End -->
<!-- ConfigureKioskResetAfterIdleTimeout-Description-Begin --> <!-- ConfigureKioskResetAfterIdleTimeout-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user's browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user's browsing data.
If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds.
If you set this policy to 0, Microsoft Edge does not use an idle timer.
If disabled or not configured, the default value is 5 minutes.
If you do not configure Microsoft Edge in assigned access, then this policy does not take effect.
<!-- ConfigureKioskResetAfterIdleTimeout-Description-End --> <!-- ConfigureKioskResetAfterIdleTimeout-Description-End -->
<!-- ConfigureKioskResetAfterIdleTimeout-Editable-Begin --> <!-- ConfigureKioskResetAfterIdleTimeout-Editable-Begin -->
@ -2247,8 +2294,23 @@ You can configure Microsoft Edge to reset to the configured start experience aft
<!-- ConfigureOpenMicrosoftEdgeWith-OmaUri-End --> <!-- ConfigureOpenMicrosoftEdgeWith-OmaUri-End -->
<!-- ConfigureOpenMicrosoftEdgeWith-Description-Begin --> <!-- ConfigureOpenMicrosoftEdgeWith-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. If enabled, you can choose one of the following options: - Start page: the Start page loads ignoring the Configure Start Pages policy. - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. Default setting: A specific page or pages (default) Related policies: -Disable Lockdown of Start Pages -Configure Start Pages You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it.
If enabled, you can choose one of the following options:
- Start page: the Start page loads ignoring the Configure Start Pages policy.
- New tab page: the New tab page loads ignoring the Configure Start Pages policy.
- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy.
- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored.
When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Microsoft Edge With policy, and then enable the Disable Lockdown of Start Pages policy.
If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page.
Default setting: A specific page or pages (default)
Related policies:
-Disable Lockdown of Start Pages
-Configure Start Pages.
<!-- ConfigureOpenMicrosoftEdgeWith-Description-End --> <!-- ConfigureOpenMicrosoftEdgeWith-Description-End -->
<!-- ConfigureOpenMicrosoftEdgeWith-Editable-Begin --> <!-- ConfigureOpenMicrosoftEdgeWith-Editable-Begin -->
@ -2283,7 +2345,7 @@ You can configure Microsoft Edge to lock down the Start page, preventing users f
|:--|:--| |:--|:--|
| Name | ConfigureOpenEdgeWith | | Name | ConfigureOpenEdgeWith |
| Friendly Name | Configure Open Microsoft Edge With | | Friendly Name | Configure Open Microsoft Edge With |
| Element Name | Configure Open Microsoft Edge With | | Element Name | Configure Open Microsoft Edge With. |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings |
@ -2321,8 +2383,11 @@ You can configure Microsoft Edge to lock down the Start page, preventing users f
<!-- ConfigureTelemetryForMicrosoft365Analytics-OmaUri-End --> <!-- ConfigureTelemetryForMicrosoft365Analytics-OmaUri-End -->
<!-- ConfigureTelemetryForMicrosoft365Analytics-Description-Begin --> <!-- ConfigureTelemetryForMicrosoft365Analytics-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. You can configure Microsoft Edge to send intranet history only, internet history only, or both to Desktop Analytics for enterprise devices with a configured Commercial ID. If disabled or not configured, Microsoft Edge does not send browsing history data to Desktop Analytics.
Supported versions: Microsoft Edge on Windows 10, version 1809
Default setting: Disabled or not configured (no data collected or sent)
<!-- ConfigureTelemetryForMicrosoft365Analytics-Description-End --> <!-- ConfigureTelemetryForMicrosoft365Analytics-Description-End -->
<!-- ConfigureTelemetryForMicrosoft365Analytics-Editable-Begin --> <!-- ConfigureTelemetryForMicrosoft365Analytics-Editable-Begin -->
@ -2357,7 +2422,7 @@ Configures what browsing data will be sent to Microsoft 365 Analytics for device
|:--|:--| |:--|:--|
| Name | ConfigureTelemetryForMicrosoft365Analytics | | Name | ConfigureTelemetryForMicrosoft365Analytics |
| Friendly Name | Configure collection of browsing data for Desktop Analytics | | Friendly Name | Configure collection of browsing data for Desktop Analytics |
| Element Name | Configure telemetry collection | | Element Name | Configure telemetry collection. |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | WindowsComponents > Data Collection and Preview Builds | | Path | WindowsComponents > Data Collection and Preview Builds |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection | | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection |
@ -2390,8 +2455,15 @@ Configures what browsing data will be sent to Microsoft 365 Analytics for device
<!-- DisableLockdownOfStartPages-OmaUri-End --> <!-- DisableLockdownOfStartPages-OmaUri-End -->
<!-- DisableLockdownOfStartPages-Description-Begin --> <!-- DisableLockdownOfStartPages-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Start Pages - Configure Open Microsoft Edge With You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages.
If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down.
Supported devices: Domain-joined or MDM-enrolled
Related policy:
- Configure Start Pages
- Configure Open Microsoft Edge With.
<!-- DisableLockdownOfStartPages-Description-End --> <!-- DisableLockdownOfStartPages-Description-End -->
<!-- DisableLockdownOfStartPages-Editable-Begin --> <!-- DisableLockdownOfStartPages-Editable-Begin -->
@ -2532,8 +2604,12 @@ This policy setting lets you decide how much data to send to Microsoft about the
<!-- EnterpriseModeSiteList-OmaUri-End --> <!-- EnterpriseModeSiteList-OmaUri-End -->
<!-- EnterpriseModeSiteList-Description-Begin --> <!-- EnterpriseModeSiteList-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.
- If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.
- If you disable or don't configure this setting, Microsoft Edge won't use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.
<!-- EnterpriseModeSiteList-Description-End --> <!-- EnterpriseModeSiteList-Description-End -->
<!-- EnterpriseModeSiteList-Editable-Begin --> <!-- EnterpriseModeSiteList-Editable-Begin -->
@ -2556,7 +2632,7 @@ This setting lets you configure whether your company uses Enterprise Mode and th
|:--|:--| |:--|:--|
| Name | EnterpriseModeSiteList | | Name | EnterpriseModeSiteList |
| Friendly Name | Configure the Enterprise Mode Site List | | Friendly Name | Configure the Enterprise Mode Site List |
| Element Name | Type the location (URL) of your Enterprise Mode IE website list | | Element Name | Type the location (URL) of your Enterprise Mode IE website list. |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode |
@ -2676,8 +2752,25 @@ Configure first run URL.
<!-- HomePages-OmaUri-End --> <!-- HomePages-OmaUri-End -->
<!-- HomePages-Description-Begin --> <!-- HomePages-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `<support.contoso.com>` `<support.microsoft.com>` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `<about:blank>` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages.
If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:
`<support.contoso.com>` `<support.microsoft.com>`
If disabled or not configured, the webpages specified in App settings loads as the default Start pages.
Version 1703 or later:
If you do not want to send traffic to Microsoft, enable this policy and use the `<about:blank>` value, which honors domain- and non-domain-joined devices, when it is the only configured URL.
Version 1809:
If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy.
Supported devices: Domain-joined or MDM-enrolled
Related policy:
- Configure Open Microsoft Edge With
- Disable Lockdown of Start Pages.
<!-- HomePages-Description-End --> <!-- HomePages-Description-End -->
<!-- HomePages-Editable-Begin --> <!-- HomePages-Editable-Begin -->
@ -2700,7 +2793,7 @@ When you enable the Configure Open Microsoft Edge With policy, you can configure
|:--|:--| |:--|:--|
| Name | HomePages | | Name | HomePages |
| Friendly Name | Configure Start pages | | Friendly Name | Configure Start pages |
| Element Name | Use this format: `<support.contoso.com>` `<<https://support.microsoft.com/>>` | | Element Name | Use this format: `<support.contoso.com>` `<https://support.microsoft.com/>` |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings |
@ -2808,7 +2901,7 @@ Don't enable both this setting and the Keep favorites in sync between Internet E
<!-- PreventAccessToAboutFlagsInMicrosoftEdge-Description-Begin --> <!-- PreventAccessToAboutFlagsInMicrosoftEdge-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy settings lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.
- If you enable this policy setting, employees can't access the about:flags page. - If you enable this policy setting, employees can't access the about:flags page.
@ -3374,12 +3467,14 @@ This policy setting lets you decide whether an employee's LocalHost IP address s
<!-- ProvisionFavorites-OmaUri-End --> <!-- ProvisionFavorites-OmaUri-End -->
<!-- ProvisionFavorites-Description-Begin --> <!-- ProvisionFavorites-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
- If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites
> [!IMPORTANT] - If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
**Important**
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
- If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
<!-- ProvisionFavorites-Description-End --> <!-- ProvisionFavorites-Description-End -->
@ -3403,7 +3498,7 @@ This policy setting allows you to configure a default set of favorites, which wi
|:--|:--| |:--|:--|
| Name | ConfiguredFavorites | | Name | ConfiguredFavorites |
| Friendly Name | Provision Favorites | | Friendly Name | Provision Favorites |
| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.<br> <br> URL can be specified as<br> <br> 1. HTTP location: https://localhost:8080/URLs.html<br> 2. Local network: \\network\shares\URLs.html<br> 3. Local file: file:///c:\\Users\\`<user>`\\Documents\\URLs.html or C:\\Users\\`<user>`\\Documents\\URLs.html | | Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.<br> <br> URL can be specified as<br> <br> 1. HTTP location: https://localhost:8080/URLs.html<br> 2. Local network: \\network\shares\URLs.html<br> 3. Local file: file:///c:\\Users\\`<user>`\\Documents\\URLs.html or C:\\Users\\`<user>`\\Documents\\URLs.html. |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites |
@ -3514,9 +3609,24 @@ This policy setting lets you decide whether your intranet sites should all open
<!-- SetDefaultSearchEngine-OmaUri-End --> <!-- SetDefaultSearchEngine-OmaUri-End -->
<!-- SetDefaultSearchEngine-Description-Begin --> <!-- SetDefaultSearchEngine-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. This policy setting lets you configure the default search engine for your employees. Your employees can change the default search engine at any time.
- If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
**Important**
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- If you enable this setting, you can choose a default search engine for your employees.
- If this setting is enabled, you must also add the default engine to the "Set default search engine" setting, by adding a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch XML file, see the Understanding OpenSearch Standards (https://msdn.microsoft.com/library/dd163546.aspx) topic. Use this format to specify the link you wish to add: `<https://fabrikam.com/opensearch.xml>`
**Note**
If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING.
Employees can change the default search engine at any time, unless you disable the "Allow search engine customization" setting, which restricts any changes.
- If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.
- If you don't configure this setting, the default search engine is set to the one specified in App settings.
<!-- SetDefaultSearchEngine-Description-End --> <!-- SetDefaultSearchEngine-Description-End -->
<!-- SetDefaultSearchEngine-Editable-Begin --> <!-- SetDefaultSearchEngine-Editable-Begin -->
@ -3539,7 +3649,7 @@ Sets the default search engine for MDM-enrolled devices. Users can still change
|:--|:--| |:--|:--|
| Name | SetDefaultSearchEngine | | Name | SetDefaultSearchEngine |
| Friendly Name | Set default search engine | | Friendly Name | Set default search engine |
| Element Name | Use this format to specify the link you wish to add: `<<https://fabrikam.com/opensearch.xml>>` | | Element Name | Use this format to specify the link you wish to add: `<https://fabrikam.com/opensearch.xml>` |
| Location | Computer and User Configuration | | Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge | | Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch |
@ -3572,8 +3682,13 @@ Sets the default search engine for MDM-enrolled devices. Users can still change
<!-- SetHomeButtonURL-OmaUri-End --> <!-- SetHomeButtonURL-OmaUri-End -->
<!-- SetHomeButtonURL-Description-Begin --> <!-- SetHomeButtonURL-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button The home button can be configured to load a custom URL when your user clicks the home button.
If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button.
Default setting: Blank or not configured
Related policy: Configure Home Button.
<!-- SetHomeButtonURL-Description-End --> <!-- SetHomeButtonURL-Description-End -->
<!-- SetHomeButtonURL-Editable-Begin --> <!-- SetHomeButtonURL-Editable-Begin -->
@ -3629,8 +3744,15 @@ The home button can be configured to load a custom URL when your user clicks the
<!-- SetNewTabPageURL-OmaUri-End --> <!-- SetNewTabPageURL-OmaUri-End -->
<!-- SetNewTabPageURL-Description-Begin --> <!-- SetNewTabPageURL-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank.
If enabled, you can set the default New Tab page URL.
If disabled or not configured, the default Microsoft Edge new tab page is used.
Default setting: Disabled or not configured
Related policy: Allow web content on New Tab page.
<!-- SetNewTabPageURL-Description-End --> <!-- SetNewTabPageURL-Description-End -->
<!-- SetNewTabPageURL-Editable-Begin --> <!-- SetNewTabPageURL-Editable-Begin -->
@ -3696,7 +3818,7 @@ If disabled or not configured, the default app behavior occurs and no additional
Default setting: Disabled or not configured Default setting: Disabled or not configured
Related policies: Related policies:
-Configure the Enterprise Mode Site List -Configure the Enterprise Mode Site List
-Send all intranet sites to Internet Explorer 11 -Send all intranet sites to Internet Explorer 11.
<!-- ShowMessageWhenOpeningSitesInInternetExplorer-Description-End --> <!-- ShowMessageWhenOpeningSitesInInternetExplorer-Description-End -->
<!-- ShowMessageWhenOpeningSitesInInternetExplorer-Editable-Begin --> <!-- ShowMessageWhenOpeningSitesInInternetExplorer-Editable-Begin -->
@ -3852,7 +3974,7 @@ If disabled or not configured, the UI settings for the home button are disabled
Default setting: Disabled or not configured Default setting: Disabled or not configured
Related policy: Related policy:
-Configure Home Button -Configure Home Button
-Set Home Button URL -Set Home Button URL.
<!-- UnlockHomeButton-Description-End --> <!-- UnlockHomeButton-Description-End -->
<!-- UnlockHomeButton-Editable-Begin --> <!-- UnlockHomeButton-Editable-Begin -->

66
windows/client-management/mdm/policy-csp-cellular.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Cellular Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -41,8 +41,20 @@ ms.topic: reference
<!-- LetAppsAccessCellularData-OmaUri-End --> <!-- LetAppsAccessCellularData-OmaUri-End -->
<!-- LetAppsAccessCellularData-Description-Begin --> <!-- LetAppsAccessCellularData-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy setting specifies whether Windows apps can access cellular data. This policy setting specifies whether Windows apps can access cellular data.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it.
If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it.
If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessCellularData-Description-End --> <!-- LetAppsAccessCellularData-Description-End -->
<!-- LetAppsAccessCellularData-Editable-Begin --> <!-- LetAppsAccessCellularData-Editable-Begin -->
@ -87,7 +99,7 @@ If an app is open when this Group Policy object is applied on a device, employee
|:--|:--| |:--|:--|
| Name | LetAppsAccessCellularData | | Name | LetAppsAccessCellularData |
| Friendly Name | Let Windows apps access cellular data | | Friendly Name | Let Windows apps access cellular data |
| Element Name | Default for all apps | | Element Name | Default for all apps. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Network > WWAN Service > Cellular Data Access | | Path | Network > WWAN Service > Cellular Data Access |
| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | | Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess |
@ -116,8 +128,20 @@ If an app is open when this Group Policy object is applied on a device, employee
<!-- LetAppsAccessCellularData_ForceAllowTheseApps-OmaUri-End --> <!-- LetAppsAccessCellularData_ForceAllowTheseApps-OmaUri-End -->
<!-- LetAppsAccessCellularData_ForceAllowTheseApps-Description-Begin --> <!-- LetAppsAccessCellularData_ForceAllowTheseApps-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. This policy setting specifies whether Windows apps can access cellular data.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it.
If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it.
If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessCellularData_ForceAllowTheseApps-Description-End --> <!-- LetAppsAccessCellularData_ForceAllowTheseApps-Description-End -->
<!-- LetAppsAccessCellularData_ForceAllowTheseApps-Editable-Begin --> <!-- LetAppsAccessCellularData_ForceAllowTheseApps-Editable-Begin -->
@ -169,8 +193,20 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
<!-- LetAppsAccessCellularData_ForceDenyTheseApps-OmaUri-End --> <!-- LetAppsAccessCellularData_ForceDenyTheseApps-OmaUri-End -->
<!-- LetAppsAccessCellularData_ForceDenyTheseApps-Description-Begin --> <!-- LetAppsAccessCellularData_ForceDenyTheseApps-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. This policy setting specifies whether Windows apps can access cellular data.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it.
If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it.
If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessCellularData_ForceDenyTheseApps-Description-End --> <!-- LetAppsAccessCellularData_ForceDenyTheseApps-Description-End -->
<!-- LetAppsAccessCellularData_ForceDenyTheseApps-Editable-Begin --> <!-- LetAppsAccessCellularData_ForceDenyTheseApps-Editable-Begin -->
@ -222,8 +258,20 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
<!-- LetAppsAccessCellularData_UserInControlOfTheseApps-OmaUri-End --> <!-- LetAppsAccessCellularData_UserInControlOfTheseApps-OmaUri-End -->
<!-- LetAppsAccessCellularData_UserInControlOfTheseApps-Description-Begin --> <!-- LetAppsAccessCellularData_UserInControlOfTheseApps-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. This policy setting specifies whether Windows apps can access cellular data.
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it.
If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it.
If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
<!-- LetAppsAccessCellularData_UserInControlOfTheseApps-Description-End --> <!-- LetAppsAccessCellularData_UserInControlOfTheseApps-Description-End -->
<!-- LetAppsAccessCellularData_UserInControlOfTheseApps-Editable-Begin --> <!-- LetAppsAccessCellularData_UserInControlOfTheseApps-Editable-Begin -->

12
windows/client-management/mdm/policy-csp-clouddesktop.md
View File

@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- CloudDesktop-Begin --> <!-- CloudDesktop-Begin -->
# Policy CSP - CloudDesktop # Policy CSP - CloudDesktop
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- CloudDesktop-Editable-Begin --> <!-- CloudDesktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CloudDesktop-Editable-End --> <!-- CloudDesktop-Editable-End -->
@ -37,12 +40,7 @@ ms.topic: reference
<!-- BootToCloudMode-Description-Begin --> <!-- BootToCloudMode-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
This policy allows the user to configure the boot to cloud mode. Boot to Cloud mode enables users to seamlessly sign-in to a Cloud PC that is provisioned for them by an IT Admin. For using boot to cloud mode, users need to install and configure a Cloud Provider application (eg: Win365) on their PC and need to have a Cloud PC provisioned to them. For successful use of this policy, OverrideShellProgram policy needs to be configured as well. This policy allows the user to configure the boot to cloud mode. Boot to Cloud mode enables users to seamlessly sign-in to a Cloud PC that is provisioned for them by an IT Admin. For using boot to cloud mode, users need to install and configure a Cloud Provider application (eg: Win365) on their PC and need to have a Cloud PC provisioned to them. For successful use of this policy, OverrideShellProgram policy needs to be configured as well. This policy supports the below options: 1. Not Configured: Machine will not trigger the Cloud PC connection automatically. 2. Enable Boot to Cloud Desktop: Users who have a Cloud PC provisioned will get connected seamlessly to the Cloud PC as they finish sign-in operation.
This policy supports the below options:
1. Not Configured: Machine will not trigger the Cloud PC connection automatically.
2. Enable Boot to Cloud Desktop: Users who have a Cloud PC provisioned will get connected seamlessly to the Cloud PC as they finish sign-in operation.
<!-- BootToCloudMode-Description-End --> <!-- BootToCloudMode-Description-End -->
<!-- BootToCloudMode-Editable-Begin --> <!-- BootToCloudMode-Editable-Begin -->

10
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -42,7 +42,7 @@ ms.topic: reference
<!-- AllowBluetooth-Description-Begin --> <!-- AllowBluetooth-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Allows the user to enable Bluetooth or restrict access Allows the user to enable Bluetooth or restrict access.
> [!NOTE] > [!NOTE]
> This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. > This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0.
@ -220,6 +220,7 @@ To validate, the enterprise can confirm by observing the roaming enable switch i
<!-- AllowConnectedDevices-Description-Begin --> <!-- AllowConnectedDevices-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. > This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
<!-- AllowConnectedDevices-Description-End --> <!-- AllowConnectedDevices-Description-End -->
@ -396,6 +397,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
<!-- AllowUSBConnection-Description-Begin --> <!-- AllowUSBConnection-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
> [!NOTE] > [!NOTE]
> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0. > Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0.
<!-- AllowUSBConnection-Description-End --> <!-- AllowUSBConnection-Description-End -->
@ -811,7 +813,7 @@ As part of determining the connectivity level, NCSI performs one of two active t
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting configures secure access to UNC paths. This policy setting configures secure access to UNC paths.
- If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
<!-- HardenedUNCPaths-Description-End --> <!-- HardenedUNCPaths-Description-End -->
<!-- HardenedUNCPaths-Editable-Begin --> <!-- HardenedUNCPaths-Editable-Begin -->
@ -874,7 +876,7 @@ Determines whether a user can install and configure the Network Bridge.
The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder. The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
- If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
<!-- ProhibitInstallationAndConfigurationOfNetworkBridge-Description-End --> <!-- ProhibitInstallationAndConfigurationOfNetworkBridge-Description-End -->
<!-- ProhibitInstallationAndConfigurationOfNetworkBridge-Editable-Begin --> <!-- ProhibitInstallationAndConfigurationOfNetworkBridge-Editable-Begin -->

4
windows/client-management/mdm/policy-csp-dataprotection.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DataProtection Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -86,7 +86,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
<!-- LegacySelectiveWipeID-Description-Begin --> <!-- LegacySelectiveWipeID-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-DDF -->
Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe.
> [!NOTE] > [!NOTE]
> This policy is not recommended for use in Windows 10. > This policy is not recommended for use in Windows 10.

180
windows/client-management/mdm/policy-csp-defender.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 03/08/2023 ms.date: 03/27/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -221,7 +221,7 @@ In Windows 10, Basic membership is no longer available, so setting the value to
|:--|:--| |:--|:--|
| Name | SpynetReporting | | Name | SpynetReporting |
| Friendly Name | Join Microsoft MAPS | | Friendly Name | Join Microsoft MAPS |
| Element Name | Join Microsoft MAPS | | Element Name | Join Microsoft MAPS. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MAPS | | Path | Windows Components > Microsoft Defender Antivirus > MAPS |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet |
@ -697,16 +697,15 @@ Allows or disallows Windows Defender Realtime Monitoring functionality.
<!-- AllowScanningNetworkFiles-OmaUri-End --> <!-- AllowScanningNetworkFiles-OmaUri-End -->
<!-- AllowScanningNetworkFiles-Description-Begin --> <!-- AllowScanningNetworkFiles-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-Manual-Forced -->
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
- If you enable this setting or do not configure this setting, network files will be scanned.
- If you disable this setting, network files will not be scanned.
<!-- AllowScanningNetworkFiles-Description-End --> <!-- AllowScanningNetworkFiles-Description-End -->
<!-- AllowScanningNetworkFiles-Editable-Begin --> <!-- AllowScanningNetworkFiles-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. --> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy setting allows you to configure real-time scanning for files that are accessed over the network. It is recommended to enable this setting.
- If you enable this setting or do not configure this setting, network files will be scanned.
- If you disable this setting, network files will not be scanned.
<!-- AllowScanningNetworkFiles-Editable-End --> <!-- AllowScanningNetworkFiles-Editable-End -->
<!-- AllowScanningNetworkFiles-DFProperties-Begin --> <!-- AllowScanningNetworkFiles-DFProperties-Begin -->
@ -815,7 +814,7 @@ Allows or disallows Windows Defender Script Scanning functionality.
<!-- AllowUserUIAccess-Description-Begin --> <!-- AllowUserUIAccess-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to configure whether or not to display AM UI to the users. This policy setting allows you to configure whether or not to display AM UI to the users.
- If you enable this setting AM UI won't be available to users. If you enable this setting AM UI won't be available to users.
<!-- AllowUserUIAccess-Description-End --> <!-- AllowUserUIAccess-Description-End -->
<!-- AllowUserUIAccess-Editable-Begin --> <!-- AllowUserUIAccess-Editable-Begin -->
@ -883,8 +882,8 @@ Exclude files and paths from Attack Surface Reduction (ASR) rules.
Enabled: Enabled:
Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
Enter each rule on a new line as a name-value pair: Enter each rule on a new line as a name-value pair:
- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder - Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder
- Value column: Enter "0" for each item - Value column: Enter "0" for each item
Disabled: Disabled:
No exclusions will be applied to the ASR rules. No exclusions will be applied to the ASR rules.
@ -916,7 +915,7 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
|:--|:--| |:--|:--|
| Name | ExploitGuard_ASR_ASROnlyExclusions | | Name | ExploitGuard_ASR_ASROnlyExclusions |
| Friendly Name | Exclude files and paths from Attack Surface Reduction Rules | | Friendly Name | Exclude files and paths from Attack Surface Reduction Rules |
| Element Name | Exclusions from ASR rules | | Element Name | Exclusions from ASR rules. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR |
@ -949,26 +948,26 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
Set the state for each Attack Surface Reduction (ASR) rule. Set the state for each Attack Surface Reduction (ASR) rule.
After enabling this setting, you can set each rule to the following in the Options section: After enabling this setting, you can set each rule to the following in the Options section:
- Block: the rule will be applied - Block: the rule will be applied
- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
- Off: the rule will not be applied - Off: the rule will not be applied
- Not Configured: the rule is enabled with default values - Not Configured: the rule is enabled with default values
- Warn: the rule will be applied and the end-user will have the option to bypass the block - Warn: the rule will be applied and the end-user will have the option to bypass the block
Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules with the value of not configured. Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules with the value of not configured.
Enabled: Enabled:
Specify the state for each ASR rule under the Options section for this setting. Specify the state for each ASR rule under the Options section for this setting.
Enter each rule on a new line as a name-value pair: Enter each rule on a new line as a name-value pair:
- Name column: Enter a valid ASR rule ID - Name column: Enter a valid ASR rule ID
- Value column: Enter the status ID that relates to state you want to specify for the associated rule - Value column: Enter the status ID that relates to state you want to specify for the associated rule
The following status IDs are permitted under the value column: The following status IDs are permitted under the value column:
- 1 (Block) - 1 (Block)
- 0 (Off) - 0 (Off)
- 2 (Audit) - 2 (Audit)
- 5 (Not Configured) - 5 (Not Configured)
- 6 (Warn) - 6 (Warn)
Example: Example:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
@ -1007,7 +1006,7 @@ You can exclude folders or files in the "Exclude files and paths from Attack Sur
|:--|:--| |:--|:--|
| Name | ExploitGuard_ASR_Rules | | Name | ExploitGuard_ASR_Rules |
| Friendly Name | Configure Attack Surface Reduction rules | | Friendly Name | Configure Attack Surface Reduction rules |
| Element Name | Set the state for each ASR rule | | Element Name | Set the state for each ASR rule. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR |
@ -1066,7 +1065,7 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
|:--|:--| |:--|:--|
| Name | Scan_AvgCPULoadFactor | | Name | Scan_AvgCPULoadFactor |
| Friendly Name | Specify the maximum percentage of CPU utilization during a scan | | Friendly Name | Specify the maximum percentage of CPU utilization during a scan |
| Element Name | Specify the maximum percentage of CPU utilization during a scan | | Element Name | Specify the maximum percentage of CPU utilization during a scan. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan | | Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -1163,11 +1162,22 @@ This setting applies to scheduled scans, but it has no effect on scans initiated
<!-- CloudBlockLevel-OmaUri-End --> <!-- CloudBlockLevel-OmaUri-End -->
<!-- CloudBlockLevel-Description-Begin --> <!-- CloudBlockLevel-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see [Specify the cloud protection level](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus). This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files.
If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site.
> [!NOTE] > [!NOTE]
> This feature requires the Join Microsoft MAPS setting enabled in order to function. > This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
Possible options are:
(0x0) Default Microsoft Defender Antivirus blocking level
(0x1) Moderate Microsoft Defender Antivirus blocking level, delivers verdict only for high confidence detections
(0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
(0x4) High+ blocking level - aggressively block unknowns and apply additional protection measures (may impact client performance)
(0x6) Zero tolerance blocking level - block all unknown executables.
<!-- CloudBlockLevel-Description-End --> <!-- CloudBlockLevel-Description-End -->
<!-- CloudBlockLevel-Editable-Begin --> <!-- CloudBlockLevel-Editable-Begin -->
@ -1202,7 +1212,7 @@ This policy setting determines how aggressive Windows Defender Antivirus will be
|:--|:--| |:--|:--|
| Name | MpEngine_MpCloudBlockLevel | | Name | MpEngine_MpCloudBlockLevel |
| Friendly Name | Select cloud protection level | | Friendly Name | Select cloud protection level |
| Element Name | Select cloud blocking level | | Element Name | Select cloud blocking level. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | | Path | Windows Components > Microsoft Defender Antivirus > MpEngine |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine |
@ -1231,11 +1241,15 @@ This policy setting determines how aggressive Windows Defender Antivirus will be
<!-- CloudExtendedTimeout-OmaUri-End --> <!-- CloudExtendedTimeout-OmaUri-End -->
<!-- CloudExtendedTimeout-Description-Begin --> <!-- CloudExtendedTimeout-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe.
The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
> [!NOTE] > [!NOTE]
> This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. > This feature depends on three other MAPS settings - "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required" all need to be enabled.
<!-- CloudExtendedTimeout-Description-End --> <!-- CloudExtendedTimeout-Description-End -->
<!-- CloudExtendedTimeout-Editable-Begin --> <!-- CloudExtendedTimeout-Editable-Begin -->
@ -1260,7 +1274,7 @@ This feature allows Windows Defender Antivirus to block a suspicious file for up
|:--|:--| |:--|:--|
| Name | MpEngine_MpBafsExtendedTimeout | | Name | MpEngine_MpBafsExtendedTimeout |
| Friendly Name | Configure extended cloud check | | Friendly Name | Configure extended cloud check |
| Element Name | Specify the extended cloud check time in seconds | | Element Name | Specify the extended cloud check time in seconds. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | | Path | Windows Components > Microsoft Defender Antivirus > MpEngine |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine |
@ -1331,7 +1345,7 @@ Default system folders are automatically guarded, but you can add folders in the
|:--|:--| |:--|:--|
| Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | | Name | ExploitGuard_ControlledFolderAccess_AllowedApplications |
| Friendly Name | Configure allowed applications | | Friendly Name | Configure allowed applications |
| Element Name | Enter the applications that should be trusted | | Element Name | Enter the applications that should be trusted. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
@ -1403,7 +1417,7 @@ Microsoft Defender Antivirus automatically determines which applications can be
|:--|:--| |:--|:--|
| Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | | Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders |
| Friendly Name | Configure protected folders | | Friendly Name | Configure protected folders |
| Element Name | Enter the folders that should be guarded | | Element Name | Enter the folders that should be guarded. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
@ -1462,7 +1476,7 @@ This policy setting defines the number of days items should be kept in the Quara
|:--|:--| |:--|:--|
| Name | Quarantine_PurgeItemsAfterDelay | | Name | Quarantine_PurgeItemsAfterDelay |
| Friendly Name | Configure removal of items from Quarantine folder | | Friendly Name | Configure removal of items from Quarantine folder |
| Element Name | Configure removal of items from Quarantine folder | | Element Name | Configure removal of items from Quarantine folder. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Quarantine | | Path | Windows Components > Microsoft Defender Antivirus > Quarantine |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine |
@ -1625,8 +1639,8 @@ This policy setting allows you to configure catch-up scans for scheduled quick s
<!-- EnableControlledFolderAccess-Description-Begin --> <!-- EnableControlledFolderAccess-Description-Begin -->
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
- Modify or delete files in protected folders, such as the Documents folder - Modify or delete files in protected folders, such as the Documents folder
- Write to disk sectors - Write to disk sectors
You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders. You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders.
@ -1635,35 +1649,35 @@ Default system folders are automatically protected, but you can add folders in t
Block: Block:
The following will be blocked: The following will be blocked:
- Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to write to disk sectors
The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
Disabled: Disabled:
The following will not be blocked and will be allowed to run: The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to write to disk sectors
These attempts will not be recorded in the Windows event log. These attempts will not be recorded in the Windows event log.
Audit Mode: Audit Mode:
The following will not be blocked and will be allowed to run: The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to write to disk sectors
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.
Block disk modification only: Block disk modification only:
The following will be blocked: The following will be blocked:
- Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to write to disk sectors
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
The following will not be blocked and will be allowed to run: The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to modify or delete files in protected folders
These attempts will not be recorded in the Windows event log. These attempts will not be recorded in the Windows event log.
Audit disk modification only: Audit disk modification only:
The following will not be blocked and will be allowed to run: The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to write to disk sectors
- Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to modify or delete files in protected folders
Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124). Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124).
Attempts to modify or delete files in protected folders will not be recorded. Attempts to modify or delete files in protected folders will not be recorded.
@ -1702,7 +1716,7 @@ Same as Disabled.
|:--|:--| |:--|:--|
| Name | ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess | | Name | ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess |
| Friendly Name | Configure Controlled folder access | | Friendly Name | Configure Controlled folder access |
| Element Name | Configure the guard my folders feature | | Element Name | Configure the guard my folders feature. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
@ -1871,8 +1885,8 @@ Same as Disabled.
<!-- ExcludedExtensions-OmaUri-End --> <!-- ExcludedExtensions-OmaUri-End -->
<!-- ExcludedExtensions-Description-Begin --> <!-- ExcludedExtensions-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
<!-- ExcludedExtensions-Description-End --> <!-- ExcludedExtensions-Description-End -->
<!-- ExcludedExtensions-Editable-Begin --> <!-- ExcludedExtensions-Editable-Begin -->
@ -1896,7 +1910,7 @@ Allows an administrator to specify a list of file type extensions to ignore duri
|:--|:--| |:--|:--|
| Name | Exclusions_Extensions | | Name | Exclusions_Extensions |
| Friendly Name | Extension Exclusions | | Friendly Name | Extension Exclusions |
| Element Name | Extension Exclusions | | Element Name | Extension Exclusions. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
@ -1925,8 +1939,8 @@ Allows an administrator to specify a list of file type extensions to ignore duri
<!-- ExcludedPaths-OmaUri-End --> <!-- ExcludedPaths-OmaUri-End -->
<!-- ExcludedPaths-Description-Begin --> <!-- ExcludedPaths-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.
<!-- ExcludedPaths-Description-End --> <!-- ExcludedPaths-Description-End -->
<!-- ExcludedPaths-Editable-Begin --> <!-- ExcludedPaths-Editable-Begin -->
@ -1950,7 +1964,7 @@ Allows an administrator to specify a list of directory paths to ignore during a
|:--|:--| |:--|:--|
| Name | Exclusions_Paths | | Name | Exclusions_Paths |
| Friendly Name | Path Exclusions | | Friendly Name | Path Exclusions |
| Element Name | Path Exclusions | | Element Name | Path Exclusions. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
@ -1979,11 +1993,8 @@ Allows an administrator to specify a list of directory paths to ignore during a
<!-- ExcludedProcesses-OmaUri-End --> <!-- ExcludedProcesses-OmaUri-End -->
<!-- ExcludedProcesses-Description-Begin --> <!-- ExcludedProcesses-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Allows an administrator to specify a list of files opened by processes to ignore during a scan. This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
> [!IMPORTANT]
> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe.
<!-- ExcludedProcesses-Description-End --> <!-- ExcludedProcesses-Description-End -->
<!-- ExcludedProcesses-Editable-Begin --> <!-- ExcludedProcesses-Editable-Begin -->
@ -2007,7 +2018,7 @@ Allows an administrator to specify a list of files opened by processes to ignore
|:--|:--| |:--|:--|
| Name | Exclusions_Processes | | Name | Exclusions_Processes |
| Friendly Name | Process Exclusions | | Friendly Name | Process Exclusions |
| Element Name | Process Exclusions | | Element Name | Process Exclusions. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
@ -2115,7 +2126,7 @@ This policy setting allows you to configure monitoring for incoming and outgoing
**Note** that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. **Note** that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.
The options for this setting are mutually exclusive The options for this setting are mutually exclusive:
0 = Scan incoming and outgoing files (default) 0 = Scan incoming and outgoing files (default)
1 = Scan incoming files only 1 = Scan incoming files only
2 = Scan outgoing files only 2 = Scan outgoing files only
@ -2158,7 +2169,7 @@ Any other value, or if the value does not exist, resolves to the default (0).
|:--|:--| |:--|:--|
| Name | RealtimeProtection_RealtimeScanDirection | | Name | RealtimeProtection_RealtimeScanDirection |
| Friendly Name | Configure monitoring for incoming and outgoing file and program activity | | Friendly Name | Configure monitoring for incoming and outgoing file and program activity |
| Element Name | Configure monitoring for incoming and outgoing file and program activity | | Element Name | Configure monitoring for incoming and outgoing file and program activity. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | | Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection |
@ -2227,7 +2238,7 @@ This policy setting allows you to specify the scan type to use during a schedule
|:--|:--| |:--|:--|
| Name | Scan_ScanParameters | | Name | Scan_ScanParameters |
| Friendly Name | Specify the scan type to use for a scheduled scan | | Friendly Name | Specify the scan type to use for a scheduled scan |
| Element Name | Specify the scan type to use for a scheduled scan | | Element Name | Specify the scan type to use for a scheduled scan. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan | | Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -2286,7 +2297,7 @@ This policy setting allows you to specify the time of day at which to perform a
|:--|:--| |:--|:--|
| Name | Scan_ScheduleQuickScantime | | Name | Scan_ScheduleQuickScantime |
| Friendly Name | Specify the time for a daily quick scan | | Friendly Name | Specify the time for a daily quick scan |
| Element Name | Specify the time for a daily quick scan | | Element Name | Specify the time for a daily quick scan. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan | | Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -2371,7 +2382,7 @@ This setting can be configured with the following ordinal number values:
|:--|:--| |:--|:--|
| Name | Scan_ScheduleDay | | Name | Scan_ScheduleDay |
| Friendly Name | Specify the day of the week to run a scheduled scan | | Friendly Name | Specify the day of the week to run a scheduled scan |
| Element Name | Specify the day of the week to run a scheduled scan | | Element Name | Specify the day of the week to run a scheduled scan. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan | | Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -2430,7 +2441,7 @@ This policy setting allows you to specify the time of day at which to perform a
|:--|:--| |:--|:--|
| Name | Scan_ScheduleTime | | Name | Scan_ScheduleTime |
| Friendly Name | Specify the time of day to run a scheduled scan | | Friendly Name | Specify the time of day to run a scheduled scan |
| Element Name | Specify the time of day to run a scheduled scan | | Element Name | Specify the time of day to run a scheduled scan. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan | | Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
@ -2462,7 +2473,7 @@ This policy setting allows you to specify the time of day at which to perform a
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to define the security intelligence location for VDI-configured computers. This policy setting allows you to define the security intelligence location for VDI-configured computers.
- If you disable or do not configure this setting, security intelligence will be referred from the default local source. If you disable or do not configure this setting, security intelligence will be referred from the default local source.
<!-- SecurityIntelligenceLocation-Description-End --> <!-- SecurityIntelligenceLocation-Description-End -->
<!-- SecurityIntelligenceLocation-Editable-Begin --> <!-- SecurityIntelligenceLocation-Editable-Begin -->
@ -2485,7 +2496,7 @@ This policy setting allows you to define the security intelligence location for
|:--|:--| |:--|:--|
| Name | SignatureUpdate_SharedSignaturesLocation | | Name | SignatureUpdate_SharedSignaturesLocation |
| Friendly Name | Define security intelligence location for VDI clients. | | Friendly Name | Define security intelligence location for VDI clients. |
| Element Name | Define file share for downloading security intelligence updates in virtual environments | | Element Name | Define file share for downloading security intelligence updates in virtual environments. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | | Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
@ -2517,7 +2528,7 @@ This policy setting allows you to define the security intelligence location for
<!-- Description-Source-ADMX --> <!-- Description-Source-ADMX -->
This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares"
For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } For Example: `{ InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }`
- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. - If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
@ -2545,7 +2556,7 @@ For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
|:--|:--| |:--|:--|
| Name | SignatureUpdate_FallbackOrder | | Name | SignatureUpdate_FallbackOrder |
| Friendly Name | Define the order of sources for downloading security intelligence updates | | Friendly Name | Define the order of sources for downloading security intelligence updates |
| Element Name | Define the order of sources for downloading security intelligence updates | | Element Name | Define the order of sources for downloading security intelligence updates. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | | Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
@ -2603,7 +2614,7 @@ This policy setting allows you to configure UNC file share sources for downloadi
|:--|:--| |:--|:--|
| Name | SignatureUpdate_DefinitionUpdateFileSharesSources | | Name | SignatureUpdate_DefinitionUpdateFileSharesSources |
| Friendly Name | Define file shares for downloading security intelligence updates | | Friendly Name | Define file shares for downloading security intelligence updates |
| Element Name | Define file shares for downloading security intelligence updates | | Element Name | Define file shares for downloading security intelligence updates. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | | Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
@ -2662,7 +2673,7 @@ This policy setting allows you to specify an interval at which to check for secu
|:--|:--| |:--|:--|
| Name | SignatureUpdate_SignatureUpdateInterval | | Name | SignatureUpdate_SignatureUpdateInterval |
| Friendly Name | Specify the interval to check for security intelligence updates | | Friendly Name | Specify the interval to check for security intelligence updates |
| Element Name | Specify the interval to check for security intelligence updates | | Element Name | Specify the interval to check for security intelligence updates. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | | Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
@ -2698,7 +2709,7 @@ Possible options are:
(0x0) Always prompt (0x0) Always prompt
(0x1) Send safe samples automatically (0x1) Send safe samples automatically
(0x2) Never send (0x2) Never send
(0x3) Send all samples automatically (0x3) Send all samples automatically.
<!-- SubmitSamplesConsent-Description-End --> <!-- SubmitSamplesConsent-Description-End -->
<!-- SubmitSamplesConsent-Editable-Begin --> <!-- SubmitSamplesConsent-Editable-Begin -->
@ -2733,7 +2744,7 @@ Possible options are:
|:--|:--| |:--|:--|
| Name | SubmitSamplesConsent | | Name | SubmitSamplesConsent |
| Friendly Name | Send file samples when further analysis is required | | Friendly Name | Send file samples when further analysis is required |
| Element Name | Send file samples when further analysis is required | | Element Name | Send file samples when further analysis is required. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MAPS | | Path | Windows Components > Microsoft Defender Antivirus > MAPS |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet |
@ -2762,8 +2773,19 @@ Possible options are:
<!-- ThreatSeverityDefaultAction-OmaUri-End --> <!-- ThreatSeverityDefaultAction-OmaUri-End -->
<!-- ThreatSeverityDefaultAction-Description-Begin --> <!-- ThreatSeverityDefaultAction-Description-Begin -->
<!-- Description-Source-DDF --> <!-- Description-Source-ADMX -->
Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 - Low severity threats2 - Moderate severity threats4 - High severity threats5 - Severe threatsThe following list shows the supported values for possible actions:2 - Quarantine. Moves files to quarantine. 3 - Remove. Removes files from system. 6 - Allow. Allows file/does none of the above actions. 8 - User defined. Requires user to make a decision on which action to take. 10 - Block. Blocks file execution. This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken.
Valid threat alert levels are:
1 = Low
2 = Medium
4 = High
5 = Severe
Valid remediation action values are:
2 = Quarantine
3 = Remove
6 = Ignore.
<!-- ThreatSeverityDefaultAction-Description-End --> <!-- ThreatSeverityDefaultAction-Description-End -->
<!-- ThreatSeverityDefaultAction-Editable-Begin --> <!-- ThreatSeverityDefaultAction-Editable-Begin -->
@ -2786,7 +2808,7 @@ Allows an administrator to specify any valid threat severity levels and the corr
|:--|:--| |:--|:--|
| Name | Threats_ThreatSeverityDefaultAction | | Name | Threats_ThreatSeverityDefaultAction |
| Friendly Name | Specify threat alert levels at which default action should not be taken when detected | | Friendly Name | Specify threat alert levels at which default action should not be taken when detected |
| Element Name | Specify threat alert levels at which default action should not be taken when detected | | Element Name | Specify threat alert levels at which default action should not be taken when detected. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Threats | | Path | Windows Components > Microsoft Defender Antivirus > Threats |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats |

18
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -134,7 +134,7 @@ Specifies whether the device is allowed to participate in Peer Caching while con
|:--|:--| |:--|:--|
| Name | AllowVPNPeerCaching | | Name | AllowVPNPeerCaching |
| Friendly Name | Enable Peer Caching while the device connects via VPN | | Friendly Name | Enable Peer Caching while the device connects via VPN |
| Element Name | Enable Peer Caching while the device connects via VPN | | Element Name | Enable Peer Caching while the device connects via VPN. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -192,7 +192,7 @@ One or more values can be added as either fully qualified domain names (FQDN) or
|:--|:--| |:--|:--|
| Name | CacheHost | | Name | CacheHost |
| Friendly Name | Cache Server Hostname | | Friendly Name | Cache Server Hostname |
| Element Name | Cache Server | | Element Name | Cache Server. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -259,7 +259,7 @@ If this policy is not configured, the client will attempt to automatically find
|:--|:--| |:--|:--|
| Name | CacheHostSource | | Name | CacheHostSource |
| Friendly Name | Cache Server Hostname Source | | Friendly Name | Cache Server Hostname Source |
| Element Name | Cache Server Hostname Source | | Element Name | Cache Server Hostname Source. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -619,7 +619,7 @@ Specifies the download method that Delivery Optimization can use in downloads of
|:--|:--| |:--|:--|
| Name | DownloadMode | | Name | DownloadMode |
| Friendly Name | Download Mode | | Friendly Name | Download Mode |
| Element Name | Download Mode | | Element Name | Download Mode. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -676,7 +676,7 @@ Use this if you need to create a single group for Local Network Peering for bran
|:--|:--| |:--|:--|
| Name | GroupId | | Name | GroupId |
| Friendly Name | Group ID | | Friendly Name | Group ID |
| Element Name | Group ID | | Element Name | Group ID. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -745,7 +745,7 @@ Set this policy to restrict peer selection to a specific source. Available optio
|:--|:--| |:--|:--|
| Name | GroupIdSource | | Name | GroupIdSource |
| Friendly Name | Select the source of Group IDs | | Friendly Name | Select the source of Group IDs |
| Element Name | Source of Group IDs | | Element Name | Source of Group IDs. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1308,7 +1308,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
|:--|:--| |:--|:--|
| Name | ModifyCacheDrive | | Name | ModifyCacheDrive |
| Friendly Name | Modify Cache Drive | | Friendly Name | Modify Cache Drive |
| Element Name | Modify Cache Drive | | Element Name | Modify Cache Drive. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1555,7 +1555,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
|:--|:--| |:--|:--|
| Name | RestrictPeerSelectionBy | | Name | RestrictPeerSelectionBy |
| Friendly Name | Select a method to restrict Peer Selection | | Friendly Name | Select a method to restrict Peer Selection |
| Element Name | Restrict Peer Selection By | | Element Name | Restrict Peer Selection By. |
| Location | Computer Configuration | | Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization | | Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |

4
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Desktop Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -46,7 +46,7 @@ Prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
- If you enable this setting, users are unable to type a new location in the Target box. If you enable this setting, users are unable to type a new location in the Target box.
<!-- PreventUserRedirectionOfProfileFolders-Description-End --> <!-- PreventUserRedirectionOfProfileFolders-Description-End -->
<!-- PreventUserRedirectionOfProfileFolders-Editable-Begin --> <!-- PreventUserRedirectionOfProfileFolders-Editable-Begin -->

104
windows/client-management/mdm/policy-csp-desktopappinstaller.md
View File

@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
author: vinaypamnani-msft author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.date: 01/09/2023 ms.date: 03/23/2023
ms.localizationpriority: medium ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
@ -210,6 +210,57 @@ Users will still be able to execute the *winget* command. The default help will
<!-- EnableAppInstaller-End --> <!-- EnableAppInstaller-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Begin -->
## EnableBypassCertificatePinningForMicrosoftStore
<!-- EnableBypassCertificatePinningForMicrosoftStore-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableBypassCertificatePinningForMicrosoftStore-Applicability-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableBypassCertificatePinningForMicrosoftStore
```
<!-- EnableBypassCertificatePinningForMicrosoftStore-OmaUri-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Description-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Editable-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableBypassCertificatePinningForMicrosoftStore-DFProperties-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnableBypassCertificatePinningForMicrosoftStore |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableBypassCertificatePinningForMicrosoftStore-AdmxBacked-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-Examples-End -->
<!-- EnableBypassCertificatePinningForMicrosoftStore-End -->
<!-- EnableDefaultSource-Begin --> <!-- EnableDefaultSource-Begin -->
## EnableDefaultSource ## EnableDefaultSource
@ -393,6 +444,57 @@ This policy controls whether or not the [Windows Package Manager](/windows/packa
<!-- EnableHashOverride-End --> <!-- EnableHashOverride-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Begin -->
## EnableLocalArchiveMalwareScanOverride
<!-- EnableLocalArchiveMalwareScanOverride-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableLocalArchiveMalwareScanOverride-Applicability-End -->
<!-- EnableLocalArchiveMalwareScanOverride-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalArchiveMalwareScanOverride
```
<!-- EnableLocalArchiveMalwareScanOverride-OmaUri-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- EnableLocalArchiveMalwareScanOverride-Description-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableLocalArchiveMalwareScanOverride-Editable-End -->
<!-- EnableLocalArchiveMalwareScanOverride-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableLocalArchiveMalwareScanOverride-DFProperties-End -->
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnableLocalArchiveMalwareScanOverride |
| ADMX File Name | DesktopAppInstaller.admx |
<!-- EnableLocalArchiveMalwareScanOverride-AdmxBacked-End -->
<!-- EnableLocalArchiveMalwareScanOverride-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableLocalArchiveMalwareScanOverride-Examples-End -->
<!-- EnableLocalArchiveMalwareScanOverride-End -->
<!-- EnableLocalManifestFiles-Begin --> <!-- EnableLocalManifestFiles-Begin -->
## EnableLocalManifestFiles ## EnableLocalManifestFiles

Some files were not shown because too many files have changed in this diff Show More